Play interactive tour

Edit tour

Analysis Report bbbe7872ea466446da60c4da50020cbb.exe

Overview

General Information

Sample Name:	bbbe7872ea466446da60c4da50020cbb.exe
Analysis ID:	358272
MD5:	88ef84e623f21af8c30d3bba321a7448
SHA1:	701339b101c76fa1ba159c66b48ef2f9b6d73aa8
SHA256:	0095c39f2d6f62dea9fd6d066decab6f0a7acab87829f659efd01bc1d2564bd0
Tags:	exeNanoCorenVpnRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

bbbe7872ea466446da60c4da50020cbb.exe (PID: 6780 cmdline: 'C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe' MD5: 88EF84E623F21AF8C30D3BBA321A7448)

bbbe7872ea466446da60c4da50020cbb.exe (PID: 6996 cmdline: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

schtasks.exe (PID: 7072 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7124 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

bbbe7872ea466446da60c4da50020cbb.exe (PID: 5620 cmdline: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 0 MD5: 88EF84E623F21AF8C30D3BBA321A7448)

bbbe7872ea466446da60c4da50020cbb.exe (PID: 348 cmdline: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 5656 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6240 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6332 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6084 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6340 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238ff:$a: NanoCore 0x23958:$a: NanoCore 0x23995:$a: NanoCore 0x23a0e:$a: NanoCore 0x23961:$b: ClientPlugin 0x2399e:$b: ClientPlugin 0x2429c:$b: ClientPlugin 0x242a9:$b: ClientPlugin 0x1b686:$e: KeepAlive 0x23de9:$g: LogClientMessage 0x23d69:$i: get_Connected 0x15931:$j: #=q 0x15961:$j: #=q 0x1599d:$j: #=q 0x159c5:$j: #=q 0x159f5:$j: #=q 0x15a25:$j: #=q 0x15a55:$j: #=q 0x15a85:$j: #=q 0x15aa1:$j: #=q 0x15ad1:$j: #=q
00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3a5d:$a: NanoCore 0x3ab6:$a: NanoCore 0x3af3:$a: NanoCore 0x3b6c:$a: NanoCore 0x17217:$a: NanoCore 0x1722c:$a: NanoCore 0x17261:$a: NanoCore 0x30233:$a: NanoCore 0x30248:$a: NanoCore 0x3027d:$a: NanoCore 0x3abf:$b: ClientPlugin 0x3afc:$b: ClientPlugin 0x43fa:$b: ClientPlugin 0x4407:$b: ClientPlugin 0x16fd3:$b: ClientPlugin 0x16fee:$b: ClientPlugin 0x1701e:$b: ClientPlugin 0x17235:$b: ClientPlugin 0x1726a:$b: ClientPlugin 0x2ffef:$b: ClientPlugin 0x3000a:$b: ClientPlugin
0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b62e:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b62e:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdb0d:$x1: NanoCore.ClientPluginHost 0x3689b:$x1: NanoCore.ClientPluginHost 0x6b627:$x1: NanoCore.ClientPluginHost 0x711e6:$x1: NanoCore.ClientPluginHost 0x825bf:$x1: NanoCore.ClientPluginHost 0xdb6e:$x2: IClientNetworkHost 0x368c1:$x2: IClientNetworkHost 0x6b64d:$x2: IClientNetworkHost 0x7122b:$x2: IClientNetworkHost 0x82604:$x2: IClientNetworkHost 0x12f73:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20ee5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd612:$a: NanoCore 0xd62e:$a: NanoCore 0xd789:$a: NanoCore 0xd798:$a: NanoCore 0xda71:$a: NanoCore 0xda9d:$a: NanoCore 0xdb0d:$a: NanoCore 0x1d54f:$a: NanoCore 0x1d561:$a: NanoCore 0x1d59d:$a: NanoCore 0x29912:$a: NanoCore 0x29998:$a: NanoCore 0x29ae9:$a: NanoCore 0x3678d:$a: NanoCore 0x3682e:$a: NanoCore 0x3689b:$a: NanoCore 0x3695c:$a: NanoCore 0x3782d:$a: NanoCore 0x37880:$a: NanoCore 0x378b9:$a: NanoCore 0x3792c:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6340	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29cf0:$x1: NanoCore.ClientPluginHost 0x2f8af:$x1: NanoCore.ClientPluginHost 0x40c88:$x1: NanoCore.ClientPluginHost 0x570c9:$x1: NanoCore.ClientPluginHost 0x8160b:$x1: NanoCore.ClientPluginHost 0x29d16:$x2: IClientNetworkHost 0x2f8f4:$x2: IClientNetworkHost 0x40ccd:$x2: IClientNetworkHost 0x5712a:$x2: IClientNetworkHost 0x81631:$x2: IClientNetworkHost 0x5c52f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6a4a1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6340	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6340	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x29be2:$a: NanoCore 0x29c83:$a: NanoCore 0x29cf0:$a: NanoCore 0x29db1:$a: NanoCore 0x2ac82:$a: NanoCore 0x2acd5:$a: NanoCore 0x2ad0e:$a: NanoCore 0x2ad81:$a: NanoCore 0x2f829:$a: NanoCore 0x2f856:$a: NanoCore 0x2f8af:$a: NanoCore 0x370be:$a: NanoCore 0x370d1:$a: NanoCore 0x37103:$a: NanoCore 0x40c02:$a: NanoCore 0x40c2f:$a: NanoCore 0x40c88:$a: NanoCore 0x48497:$a: NanoCore 0x484aa:$a: NanoCore 0x484dc:$a: NanoCore 0x56bce:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6084	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6332	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x102db:$x1: NanoCore.ClientPluginHost 0x15e9a:$x1: NanoCore.ClientPluginHost 0x27273:$x1: NanoCore.ClientPluginHost 0x6dbc9:$x1: NanoCore.ClientPluginHost 0x78531:$x1: NanoCore.ClientPluginHost 0x10301:$x2: IClientNetworkHost 0x15edf:$x2: IClientNetworkHost 0x272b8:$x2: IClientNetworkHost 0x6dbef:$x2: IClientNetworkHost 0x78592:$x2: IClientNetworkHost 0x7d997:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8b909:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6332	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6332	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x101cd:$a: NanoCore 0x1026e:$a: NanoCore 0x102db:$a: NanoCore 0x1039c:$a: NanoCore 0x1126d:$a: NanoCore 0x112c0:$a: NanoCore 0x112f9:$a: NanoCore 0x1136c:$a: NanoCore 0x15e14:$a: NanoCore 0x15e41:$a: NanoCore 0x15e9a:$a: NanoCore 0x1d6a9:$a: NanoCore 0x1d6bc:$a: NanoCore 0x1d6ee:$a: NanoCore 0x271ed:$a: NanoCore 0x2721a:$a: NanoCore 0x27273:$a: NanoCore 0x2ea82:$a: NanoCore 0x2ea95:$a: NanoCore 0x2eac7:$a: NanoCore 0x373d3:$a: NanoCore
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xae55e:$x1: NanoCore.ClientPluginHost 0x13a25a:$x1: NanoCore.ClientPluginHost 0x13fe19:$x1: NanoCore.ClientPluginHost 0x151218:$x1: NanoCore.ClientPluginHost 0x1ad370:$x1: NanoCore.ClientPluginHost 0xae5bf:$x2: IClientNetworkHost 0x13a280:$x2: IClientNetworkHost 0x13fe5e:$x2: IClientNetworkHost 0x15125d:$x2: IClientNetworkHost 0x1ad396:$x2: IClientNetworkHost 0xb39c4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc1936:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x424b6:$a: NanoCore 0xae063:$a: NanoCore 0xae07f:$a: NanoCore 0xae1da:$a: NanoCore 0xae1e9:$a: NanoCore 0xae4c2:$a: NanoCore 0xae4ee:$a: NanoCore 0xae55e:$a: NanoCore 0xbdfa0:$a: NanoCore 0xbdfb2:$a: NanoCore 0xbdfee:$a: NanoCore 0x13a14c:$a: NanoCore 0x13a1ed:$a: NanoCore 0x13a25a:$a: NanoCore 0x13a31b:$a: NanoCore 0x13b1ec:$a: NanoCore 0x13b23f:$a: NanoCore 0x13b278:$a: NanoCore 0x13b2eb:$a: NanoCore 0x13fd93:$a: NanoCore 0x13fdc0:$a: NanoCore
Click to see the 53 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.dhcpmon.exe.40530dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
16.2.dhcpmon.exe.40530dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
16.2.dhcpmon.exe.40530dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.2d53ac8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.dhcpmon.exe.2d53ac8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
15.2.dhcpmon.exe.3adb170.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.3adb170.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
15.2.dhcpmon.exe.3adb170.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.3adb170.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
14.2.dhcpmon.exe.3d7eab4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d7eab4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d7eab4.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.dhcpmon.exe.28588ac.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.dhcpmon.exe.40c14a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.40c14a0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.40c14a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
15.2.dhcpmon.exe.3adb170.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.3adb170.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
15.2.dhcpmon.exe.3adb170.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.3adb170.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
11.2.dhcpmon.exe.420b170.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.420b170.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
11.2.dhcpmon.exe.420b170.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.420b170.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
11.2.dhcpmon.exe.420b170.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.420b170.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.dhcpmon.exe.420b170.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.420b170.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.dhcpmon.exe.3d830dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d830dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d830dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.404eab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
16.2.dhcpmon.exe.404eab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
16.2.dhcpmon.exe.404eab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
11.2.dhcpmon.exe.411a0c0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.411a0c0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.411a0c0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.39914a0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.39914a0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.39914a0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
16.2.dhcpmon.exe.404eab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
16.2.dhcpmon.exe.404eab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.404eab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.dhcpmon.exe.3d7eab4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d7eab4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d7eab4.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
16.2.dhcpmon.exe.3023ac8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
16.2.dhcpmon.exe.3023ac8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
0.2.bbbe7872ea466446da60c4da50020cbb.exe.2d78900.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
15.2.dhcpmon.exe.39ea0c0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.39ea0c0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.39ea0c0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
10.2.bbbe7872ea466446da60c4da50020cbb.exe.2e18918.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.dhcpmon.exe.2f888c4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 131 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe, ProcessId: 6996, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe, ParentImage: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe, ParentProcessId: 6996, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp', ProcessId: 7072

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

ReversingLabs: Detection: 34%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

Joe Sandbox ML: detected

Source: 14.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348914863.0000000008030000.00000002.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.369455397.0000000007BC0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.372863219.0000000007CF0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.386840376.0000000007650000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: cloudhost.myfirewall.org

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 79.134.225.105:5654

Source: Joe Sandbox View

IP Address: 79.134.225.105 79.134.225.105

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: queries for: cloudhost.myfirewall.org

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.325630674.00000000051A9000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	String found in binary or memory: http://inchat.kro.kr
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	String found in binary or memory: http://schooldb.inchat.kro.kr/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.330244134.00000000051DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com&
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCw
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comormD
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.332711004.00000000051D5000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.327774459.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	String found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.334789389.00000000051D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/D
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vvT
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnp
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe, frmLogin.cs	Long String: Length: 13656
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 0.0.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: dhcpmon.exe.4.dr, frmLogin.cs	Long String: Length: 13656
Source: 4.0.bbbe7872ea466446da60c4da50020cbb.exe.620000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.620000.1.unpack, frmLogin.cs	Long String: Length: 13656
Source: 10.0.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 11.2.dhcpmon.exe.720000.0.unpack, frmLogin.cs	Long String: Length: 13656

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_0059AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F052D8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F04890
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F04688
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F052C8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F04678
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F0C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_0059AF8E
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0062AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_01117AC1
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0062AF8E
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_0072AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_01072E09
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964890
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964688
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_029652D8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964880
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_029652C8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964678
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_0296C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_0072AF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_00EC2E09
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B04890
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B04688
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B052D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B052C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B04678
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B0C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_0079AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD2FA8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD23A0
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD3850
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD306F
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_0079AF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_001FAC81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_001FAF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_0050AC81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D423A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D42FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D43850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D4306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_0050AF8E

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.342613471.000000000060A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348914863.0000000008030000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.349527090.00000000081F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000000.340812552.000000000069A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000000.350174572.000000000079A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.370141196.0000000007D70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.369455397.0000000007BC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000000.353961165.000000000080A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.378738155.00000000050F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: bbbe7872ea466446da60c4da50020cbb.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: bbbe7872ea466446da60c4da50020cbb.exe, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: dhcpmon.exe.4.dr, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.bbbe7872ea466446da60c4da50020cbb.exe.620000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.620000.1.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 10.0.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 11.2.dhcpmon.exe.720000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/8@20/1

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_051706DA AdjustTokenPrivileges,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_051706A3 AdjustTokenPrivileges,

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bbbe7872ea466446da60c4da50020cbb.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{d1470c94-c693-4be3-b7c3-884d57fb2b86}

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7E95.tmp

Jump to behavior

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: bbbe7872ea466446da60c4da50020cbb.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File read: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 'C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe'
Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F08420 pushad ; iretd
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0111AD35 push cs; retf
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_01119D74 push eax; retf
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_01119D78 pushad ; retf
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0111ADA9 push cs; retf
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_011174B8 push ebp; ret
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_011174AC push ecx; ret
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0111ACC1 push cs; retf
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02968420 pushad ; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B08420 pushad ; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.59845021391
Source: initial sample	Static PE information: section name: .text entropy: 7.59845021391

Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5656, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6084, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780, type: MEMORY
Source: Yara match	File source: 15.2.dhcpmon.exe.28588ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.2d78900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.2e18918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.2f888c4.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Window / User API: foregroundWindowGot 894

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6784	Thread sleep time: -103297s >= -30000s
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912	Thread sleep count: 174 > 30
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912	Thread sleep count: 271 > 30
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4876	Thread sleep count: 296 > 30
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 492	Thread sleep time: -220000s >= -30000s
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4828	Thread sleep time: -99751s >= -30000s
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4704	Thread sleep time: -100504s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5960	Thread sleep time: -103946s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4744	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Memory written: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Memory written: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597421773.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597421773.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Program Managerv
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Code function: 4_2_0110AF9A GetUserNameW,

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture11	Security Software Discovery21	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information31	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bbbe7872ea466446da60c4da50020cbb.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
bbbe7872ea466446da60c4da50020cbb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
cloudhost.myfirewall.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
cloudhost.myfirewall.org	0%	Avira URL Cloud	safe
http://www.carterandcone.com&	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.comormD	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.zhongyicts.com.cnp	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/D	0%	Avira URL Cloud	safe
http://www.gagalive.kr/livechat1.swf?chatroom=inchat-	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comTCw	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/vvT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cloudhost.myfirewall.org	79.134.225.105	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudhost.myfirewall.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.com&	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/?	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comormD	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	false		high
http://www.carterandcone.com.	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.330244134.00000000051DD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/(	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.como.	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schooldb.inchat.kro.kr/	dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	false		high
http://www.apache.org/licenses/LICENSE-2.0	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.334789389.00000000051D5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://inchat.kro.kr	dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	false		high
http://www.fontbureau.com/designers/cabarga.htmlo	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTC	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cnp	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/D	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gagalive.kr/livechat1.swf?chatroom=inchat-	dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	false	Avira URL Cloud: safe	unknown
http://en.w	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.325630674.00000000051A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.327774459.00000000051AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.332711004.00000000051D5000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTCw	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/vvT	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.105	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358272
Start date:	25.02.2021
Start time:	11:23:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	bbbe7872ea466446da60c4da50020cbb.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/8@20/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.7% (good quality ratio 0.6%) Quality average: 61.9% Quality standard deviation: 18.7%
HCA Information:	Successful, ratio: 86% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.103.5.186, 104.43.139.144, 204.79.197.200, 13.107.21.200, 23.218.209.198, 104.42.151.234, 92.122.145.220, 52.255.188.83, 51.104.144.132, 67.26.75.254, 8.253.207.120, 8.248.147.254, 67.27.158.254, 8.248.137.254, 52.155.217.156, 51.103.5.159, 20.54.26.129, 92.122.213.247, 92.122.213.194, 104.43.193.48, 51.104.139.180, 184.30.20.56 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:24:42	API Interceptor	911x Sleep call for process: bbbe7872ea466446da60c4da50020cbb.exe modified
11:24:47	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe" s>$(Arg0)
11:24:48	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
11:24:49	API Interceptor	2x Sleep call for process: dhcpmon.exe modified
11:24:49	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.105	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse
	5293ea9467ea45e928620a5ed74440f5.exe	Get hash	malicious	Browse
	f1a14e6352036833f1c109e1bb2934f2.exe	Get hash	malicious	Browse
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse
	d88e07467ddcf9e3b19fa972b9f000d1.exe	Get hash	malicious	Browse
	73a4f40d0affe5eea89174f8917bba73.exe	Get hash	malicious	Browse
	9a08c8a2b49d6348f2ef35f85a1c6351.exe	Get hash	malicious	Browse
	7eec14e7cec4dc93fbf53e08998b2340.exe	Get hash	malicious	Browse
	f2a22415c1b108ce91fd76e3320431d0.exe	Get hash	malicious	Browse
	1d8eff2bc76e46dc186fa501e24f5cb1.exe	Get hash	malicious	Browse
	1464bbe24dac1f403f15b3c3860f37ca.exe	Get hash	malicious	Browse
	1d78424ce6944359d546dbcbc030f19e.exe	Get hash	malicious	Browse
	84ab43f7eda35ae038b199d3a3586b77.exe	Get hash	malicious	Browse
	Require_Quote_20200128 SSG.pdf ind.exe	Get hash	malicious	Browse
	DHL FILE 987634732.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	NKF20205 LIST.exe	Get hash	malicious	Browse
	URGENT PO.exe	Get hash	malicious	Browse
	scan002947779488.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cloudhost.myfirewall.org	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse	79.134.225.105
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse	79.134.225.105
	9a08c8a2b49d6348f2ef35f85a1c6351.exe	Get hash	malicious	Browse	79.134.225.105
	zSDBuG8gDl.exe	Get hash	malicious	Browse	185.229.243.67
	65d1beae1fc7eb126cd4a9b277afb942.exe	Get hash	malicious	Browse	79.134.225.96
	f2a22415c1b108ce91fd76e3320431d0.exe	Get hash	malicious	Browse	79.134.225.105
	1d8eff2bc76e46dc186fa501e24f5cb1.exe	Get hash	malicious	Browse	79.134.225.105
	5134b758f8eb77424254ce67f4697ffe.exe	Get hash	malicious	Browse	79.134.225.96
	1d8eff2bc76e46dc186fa501e24f5cb1.exe	Get hash	malicious	Browse	79.134.225.96
	460f7e6048ed3ca91f1573a7410fedd6.exe	Get hash	malicious	Browse	79.134.225.96
	1d78424ce6944359d546dbcbc030f19e.exe	Get hash	malicious	Browse	79.134.225.105

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	cp573oYDUX.exe	Get hash	malicious	Browse	79.134.225.43
	Y5XyMnx8Ng.exe	Get hash	malicious	Browse	79.134.225.43
	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	79.134.225.43
	xF7GogN7tM.exe	Get hash	malicious	Browse	79.134.225.120
	TZgGVyMJYF.exe	Get hash	malicious	Browse	79.134.225.74
	ilpbALnKbE.exe	Get hash	malicious	Browse	79.134.225.103
	Documents.exe	Get hash	malicious	Browse	79.134.225.87
	SWcNyi2YBj.exe	Get hash	malicious	Browse	79.134.225.103
	Confirmation Transfer Note Ref Number0002636.exe	Get hash	malicious	Browse	79.134.225.8
	TdX45jQWjj.exe	Get hash	malicious	Browse	79.134.225.43
	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse	79.134.225.105
	WxTm2cWLHF.exe	Get hash	malicious	Browse	79.134.225.71
	Payment Confirmation.exe	Get hash	malicious	Browse	79.134.225.30
	rjHlt1zz28.exe	Get hash	malicious	Browse	79.134.225.49
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	79.134.225.49
	document.exe	Get hash	malicious	Browse	79.134.225.122
	5293ea9467ea45e928620a5ed74440f5.exe	Get hash	malicious	Browse	79.134.225.105
	f1a14e6352036833f1c109e1bb2934f2.exe	Get hash	malicious	Browse	79.134.225.105
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse	79.134.225.105
	JOIN.exe	Get hash	malicious	Browse	79.134.225.30

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	487424
Entropy (8bit):	7.585377119878555
Encrypted:	false
SSDEEP:	12288:13Wp0pFZhvpNkMtT4vH2PEe4nU7YTRwiQSBuDG9RDQ1Ln:1ZFZDWocvHwt4bqDMDQF
MD5:	88EF84E623F21AF8C30D3BBA321A7448
SHA1:	701339B101C76FA1BA159C66B48EF2F9B6D73AA8
SHA-256:	0095C39F2D6F62DEA9FD6D066DECAB6F0A7ACAB87829F659EFD01BC1D2564BD0
SHA-512:	2441191F7FE76BFEF584960ED21EC576DD36D0FD37882F77A91A0FC05921A7B459E030FCBC4E3A3207F55BA9D8992CDD69F20A87C1837FF2EAC13C1F89D16035
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............P..f............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...4d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H...........lE...........:...I...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+...0......

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bbbe7872ea466446da60c4da50020cbb.exe.log Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp7E95.tmp Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1325
Entropy (8bit):	5.142681781286418
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0VxuDxtn:cbk4oL600QydbQxIYODOLedq3iij
MD5:	84A099124F6C7EE51E18E71DC7BC3A9B
SHA1:	1711144C438CBDF89365DB7FA6321956BC973CF7
SHA-256:	8239178C04A3BA7C0A51E29EA046C53C7DFD6434CA19F053730578CEB231B4F9
SHA-512:	E3653310916ADF9C0A96AAC010900B7E2A7B7156651A06B53E75110A212A1C9A6489CE58E9D856B8A4DD473612D91C760D5855B9E3200496B3D4204DF4AA91AF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp81B3.tmp Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:hn:h
MD5:	D31129909503FD8FFBD27BEC609FAEFB
SHA1:	31E23DEAE7A4A3318FEDE87058CD39880371C5A6
SHA-256:	A8BD14E933B3B91C59B72BBE9F0CE37D00BFD53DC4E41A838E4488F8B1C4FDC4
SHA-512:	C3CC657202070CF423E811054FBB0C4DC48BC2545DD7DC0DD2FD4D392F17985C71D920E918FD145F2DEE0C85691CD4F43F664B13A0E07B279DC1A63E7D57AE38
Malicious:	true
Preview:	..E....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.443732754068415
Encrypted:	false
SSDEEP:	3:oNN2+WHAuK1T95RbXVQHLNn:oNN2RguuhbXVQrNn
MD5:	1305CC0074A93B66ED5F48F9F5525B0A
SHA1:	FF47387DBEDCF1D78859AE5E69D68087E9D001B8
SHA-256:	2683F197FE07E73150EFC619A6D18BD2D459B37B243B109A350F697E50033E38
SHA-512:	54CAD3A91F06B1651FEF9F3B34ED4DCC4445D36D4E77E8F61A8C74049ADD13CBFDB8F246CFDE78CB634170234D04C30726B5E4956955FDCEE7AC5760E1A8881C
Malicious:	false
Preview:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.585377119878555
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	bbbe7872ea466446da60c4da50020cbb.exe
File size:	487424
MD5:	88ef84e623f21af8c30d3bba321a7448
SHA1:	701339b101c76fa1ba159c66b48ef2f9b6d73aa8
SHA256:	0095c39f2d6f62dea9fd6d066decab6f0a7acab87829f659efd01bc1d2564bd0
SHA512:	2441191f7fe76bfef584960ed21ec576dd36d0fd37882f77a91a0fc05921a7b459e030fcbc4e3a3207f55ba9d8992cdd69f20a87c1837ff2eac13c1f89d16035
SSDEEP:	12288:13Wp0pFZhvpNkMtT4vH2PEe4nU7YTRwiQSBuDG9RDQ1Ln:1ZFZDWocvHwt4bqDMDQF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............P..f............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47842e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6036DFEC [Wed Feb 24 23:23:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x783dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x5dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x76434	0x76600	False	0.81248968783	data	7.59845021391	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x5dc	0x600	False	0.43359375	data	4.18581494296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7a090	0x34c	data
RT_MANIFEST	0x7a3ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016 - 2021
Assembly Version	1.0.0.0
InternalName	SystemLazyDebugView.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ASM PS
ProductVersion	1.0.0.0
FileDescription	ASM PS
OriginalFilename	SystemLazyDebugView.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:24:48.626800060 CET	49712	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:48.709671974 CET	5654	49712	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:49.325844049 CET	49712	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:49.410424948 CET	5654	49712	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:50.025794983 CET	49712	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:50.109920979 CET	5654	49712	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:54.695738077 CET	49713	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:54.783087969 CET	5654	49713	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:55.354371071 CET	49713	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:55.439676046 CET	5654	49713	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:56.058144093 CET	49713	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:56.145593882 CET	5654	49713	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:00.273941040 CET	49714	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:00.358505964 CET	5654	49714	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:00.870687962 CET	49714	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:00.955174923 CET	5654	49714	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:01.464282036 CET	49714	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:01.547135115 CET	5654	49714	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:05.998193979 CET	49721	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:06.080715895 CET	5654	49721	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:06.589694977 CET	49721	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:06.673861980 CET	5654	49721	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:07.183506966 CET	49721	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:07.266280890 CET	5654	49721	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:11.364681959 CET	49727	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:11.450200081 CET	5654	49727	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:12.121423006 CET	49727	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:12.209835052 CET	5654	49727	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:12.824589014 CET	49727	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:12.910170078 CET	5654	49727	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:17.076725006 CET	49730	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:17.161436081 CET	5654	49730	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:17.668745041 CET	49730	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:17.751597881 CET	5654	49730	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:18.262532949 CET	49730	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:18.347594023 CET	5654	49730	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:22.442135096 CET	49731	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:22.529938936 CET	5654	49731	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:23.044122934 CET	49731	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:23.132652044 CET	5654	49731	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:23.637950897 CET	49731	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:23.730770111 CET	5654	49731	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:27.997536898 CET	49738	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:28.080324888 CET	5654	49738	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:28.591954947 CET	49738	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:28.677618027 CET	5654	49738	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:29.202150106 CET	49738	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:29.284926891 CET	5654	49738	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:33.562685013 CET	49745	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:33.648861885 CET	5654	49745	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:34.201298952 CET	49745	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:34.294214010 CET	5654	49745	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:34.904462099 CET	49745	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:34.989918947 CET	5654	49745	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:39.131872892 CET	49752	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:39.214664936 CET	5654	49752	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:39.717439890 CET	49752	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:39.800367117 CET	5654	49752	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:40.311438084 CET	49752	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:40.394157887 CET	5654	49752	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:44.567759037 CET	49753	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:44.653165102 CET	5654	49753	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:45.155433893 CET	49753	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:45.240783930 CET	5654	49753	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:45.749188900 CET	49753	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:45.835782051 CET	5654	49753	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:49.973664045 CET	49757	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:50.060617924 CET	5654	49757	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:50.562046051 CET	49757	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:50.651330948 CET	5654	49757	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:51.155955076 CET	49757	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:07.282320023 CET	49761	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:07.372164011 CET	5654	49761	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:07.876277924 CET	49761	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:07.958929062 CET	5654	49761	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:08.469770908 CET	49761	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:08.552668095 CET	5654	49761	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:12.692601919 CET	49764	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:12.779438972 CET	5654	49764	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:13.282622099 CET	49764	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:13.368633032 CET	5654	49764	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:13.876403093 CET	49764	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:13.963768005 CET	5654	49764	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:18.590110064 CET	49765	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:18.677874088 CET	5654	49765	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:19.189440966 CET	49765	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:19.277095079 CET	5654	49765	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:19.783225060 CET	49765	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:19.868992090 CET	5654	49765	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:24.321764946 CET	49766	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:24.409323931 CET	5654	49766	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:24.928036928 CET	49766	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:25.013566017 CET	5654	49766	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:25.518033028 CET	49766	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:25.603816032 CET	5654	49766	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:29.753073931 CET	49768	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:29.837347031 CET	5654	49768	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:30.354100943 CET	49768	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:30.436645985 CET	5654	49768	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:30.947804928 CET	49768	5654	192.168.2.6	79.134.225.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:24:27.117582083 CET	57725	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:27.166593075 CET	53	57725	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:28.176310062 CET	49283	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:28.217499971 CET	58377	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:28.225069046 CET	53	49283	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:28.269035101 CET	53	58377	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:29.046103001 CET	55074	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:29.118208885 CET	53	55074	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:29.214934111 CET	54513	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:29.264540911 CET	53	54513	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:30.449815035 CET	62044	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:30.501537085 CET	53	62044	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:32.090500116 CET	63791	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:32.160540104 CET	53	63791	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:33.270864010 CET	64267	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:33.319513083 CET	53	64267	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:34.359849930 CET	49448	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:34.411431074 CET	53	49448	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:48.212694883 CET	60342	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:48.389832020 CET	53	60342	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:54.637378931 CET	61346	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:54.694610119 CET	53	61346	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:00.210314035 CET	51774	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:00.270603895 CET	53	51774	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:03.047249079 CET	56023	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:03.095995903 CET	53	56023	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:04.005820990 CET	58384	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:04.054773092 CET	53	58384	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:04.948786020 CET	60261	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:04.997585058 CET	53	60261	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:05.491166115 CET	56061	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:05.542964935 CET	53	56061	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:05.925417900 CET	58336	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:05.988379002 CET	53	58336	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:06.118753910 CET	53781	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:06.167573929 CET	53	53781	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:07.061675072 CET	54064	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:07.110531092 CET	53	54064	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:08.066205025 CET	52811	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:08.115267038 CET	53	52811	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:08.901803970 CET	55299	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:08.962486029 CET	53	55299	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:10.411164999 CET	63745	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:10.468545914 CET	53	63745	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:11.305735111 CET	50055	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:11.363370895 CET	53	50055	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:13.473772049 CET	61374	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:13.523927927 CET	53	61374	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:14.458923101 CET	50339	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:14.508641005 CET	53	50339	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:17.018151045 CET	63307	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:17.075424910 CET	53	63307	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:22.383959055 CET	49694	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:22.440958977 CET	53	49694	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:22.454272032 CET	54982	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:22.506934881 CET	53	54982	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:25.711648941 CET	50010	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:25.768949032 CET	53	50010	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:26.315239906 CET	63718	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:26.366815090 CET	53	63718	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.118741989 CET	62116	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.126820087 CET	63816	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.175472021 CET	53	63816	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.175956011 CET	53	62116	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.606359005 CET	55014	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.663378954 CET	53	55014	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.907069921 CET	62208	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.952208042 CET	57574	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.964279890 CET	53	62208	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:28.019773006 CET	53	57574	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:28.168005943 CET	51818	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:28.225503922 CET	53	51818	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:28.942802906 CET	56628	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:29.002837896 CET	53	56628	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:30.171575069 CET	60778	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:30.232163906 CET	53	60778	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:31.825973988 CET	53799	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:31.874722958 CET	53	53799	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:33.121190071 CET	54683	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:33.173006058 CET	53	54683	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:33.444616079 CET	59329	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:33.494067907 CET	53	59329	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:33.657452106 CET	64021	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:33.707140923 CET	53	64021	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:36.012670040 CET	56129	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:36.075216055 CET	53	56129	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:39.068284988 CET	58177	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:39.117019892 CET	53	58177	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:44.506081104 CET	50700	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:44.566046000 CET	53	50700	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:45.987143993 CET	54069	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:46.037607908 CET	53	54069	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:47.105782032 CET	61178	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:47.158185005 CET	53	61178	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:48.100619078 CET	57017	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:48.150759935 CET	53	57017	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:49.913017988 CET	56327	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:49.971278906 CET	53	56327	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:04.542124987 CET	50243	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:04.593692064 CET	53	50243	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:04.987422943 CET	62055	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:05.052566051 CET	53	62055	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:07.228221893 CET	61249	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:07.280585051 CET	53	61249	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:08.916820049 CET	65252	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:08.977189064 CET	53	65252	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:12.625998974 CET	64367	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:12.690673113 CET	53	64367	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:18.522969007 CET	55066	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:18.585977077 CET	53	55066	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:24.260216951 CET	60211	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:24.320557117 CET	53	60211	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:28.934892893 CET	56570	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:28.983767033 CET	53	56570	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:29.690567017 CET	58454	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:29.752105951 CET	53	58454	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:35.151140928 CET	55180	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:35.208693981 CET	53	55180	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:40.576133966 CET	58721	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:40.637666941 CET	53	58721	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:45.918656111 CET	57691	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:45.976176023 CET	53	57691	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 11:24:48.212694883 CET	192.168.2.6	8.8.8.8	0xeff6	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:24:54.637378931 CET	192.168.2.6	8.8.8.8	0x104c	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:00.210314035 CET	192.168.2.6	8.8.8.8	0xc159	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:05.925417900 CET	192.168.2.6	8.8.8.8	0x556a	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:11.305735111 CET	192.168.2.6	8.8.8.8	0xeb5	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:17.018151045 CET	192.168.2.6	8.8.8.8	0x3637	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:22.383959055 CET	192.168.2.6	8.8.8.8	0x15a1	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:27.907069921 CET	192.168.2.6	8.8.8.8	0x8fb3	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:33.444616079 CET	192.168.2.6	8.8.8.8	0x9128	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:39.068284988 CET	192.168.2.6	8.8.8.8	0xc65d	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:44.506081104 CET	192.168.2.6	8.8.8.8	0xbda7	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:49.913017988 CET	192.168.2.6	8.8.8.8	0x1d2f	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:07.228221893 CET	192.168.2.6	8.8.8.8	0xafc0	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:12.625998974 CET	192.168.2.6	8.8.8.8	0xb43d	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:18.522969007 CET	192.168.2.6	8.8.8.8	0xd2af	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:24.260216951 CET	192.168.2.6	8.8.8.8	0xd4ec	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:29.690567017 CET	192.168.2.6	8.8.8.8	0xd408	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:35.151140928 CET	192.168.2.6	8.8.8.8	0x1c71	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:40.576133966 CET	192.168.2.6	8.8.8.8	0x1429	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:45.918656111 CET	192.168.2.6	8.8.8.8	0x7f8d	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 25, 2021 11:24:48.389832020 CET	8.8.8.8	192.168.2.6	0xeff6	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:24:54.694610119 CET	8.8.8.8	192.168.2.6	0x104c	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:00.270603895 CET	8.8.8.8	192.168.2.6	0xc159	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:05.988379002 CET	8.8.8.8	192.168.2.6	0x556a	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:11.363370895 CET	8.8.8.8	192.168.2.6	0xeb5	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:17.075424910 CET	8.8.8.8	192.168.2.6	0x3637	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:22.440958977 CET	8.8.8.8	192.168.2.6	0x15a1	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:27.964279890 CET	8.8.8.8	192.168.2.6	0x8fb3	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:33.494067907 CET	8.8.8.8	192.168.2.6	0x9128	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:39.117019892 CET	8.8.8.8	192.168.2.6	0xc65d	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:44.566046000 CET	8.8.8.8	192.168.2.6	0xbda7	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:49.971278906 CET	8.8.8.8	192.168.2.6	0x1d2f	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:07.280585051 CET	8.8.8.8	192.168.2.6	0xafc0	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:12.690673113 CET	8.8.8.8	192.168.2.6	0xb43d	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:18.585977077 CET	8.8.8.8	192.168.2.6	0xd2af	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:24.320557117 CET	8.8.8.8	192.168.2.6	0xd4ec	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:29.752105951 CET	8.8.8.8	192.168.2.6	0xd408	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:35.208693981 CET	8.8.8.8	192.168.2.6	0x1c71	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:40.637666941 CET	8.8.8.8	192.168.2.6	0x1429	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:45.976176023 CET	8.8.8.8	192.168.2.6	0x7f8d	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780 Parent PID: 5892

General

Start time:	11:24:36
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe'
Imagebase:	0x590000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996 Parent PID: 6780

General

Start time:	11:24:43
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Imagebase:	0x620000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 7072 Parent PID: 6996

General

Start time:	11:24:45
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'
Imagebase:	0x340000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7080 Parent PID: 7072

General

Start time:	11:24:45
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 7124 Parent PID: 6996

General

Start time:	11:24:46
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'
Imagebase:	0x340000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7132 Parent PID: 7124

General

Start time:	11:24:46
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620 Parent PID: 936

General

Start time:	11:24:48
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 0
Imagebase:	0x720000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: dhcpmon.exe PID: 5656 Parent PID: 936

General

Start time:	11:24:48
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x720000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 348 Parent PID: 5620

General

Start time:	11:24:49
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Imagebase:	0x790000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: dhcpmon.exe PID: 6240 Parent PID: 5656

General

Start time:	11:24:52
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x1f0000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: dhcpmon.exe PID: 6332 Parent PID: 5656

General

Start time:	11:24:54
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x500000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: dhcpmon.exe PID: 6084 Parent PID: 3440

General

Start time:	11:24:58
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x40000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: dhcpmon.exe PID: 6340 Parent PID: 6084

General

Start time:	11:24:59
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x8f0000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report bbbe7872ea466446da60c4da50020cbb.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre