Analysis Report CU3e1CWzlr.exe

Overview

General Information

Sample Name:	CU3e1CWzlr.exe
Analysis ID:	383199
MD5:	bc906f26edfec13cdb13d8a6b97f344b
SHA1:	33933248690d87f77693865e7393395ec2ea3792
SHA256:	23ac7754b6ad5fc382857b05ad514a716cd3dcf861867d3be02a5a92ca7fe067
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Quotation.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "894ac765-a5c8-42af-bb6a-ac66f210", "Group": "Default", "Domain1": "185.244.26.250", "Domain2": "oleg321.ddns.net", "Port": 3231, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 86%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 100%
Source: C:\Quotation.exe	Metadefender: Detection: 86%	Perma Link
Source: C:\Quotation.exe	ReversingLabs: Detection: 100%
Source: C:\Quotation.sfx.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\Quotation.sfx.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: CU3e1CWzlr.exe	Virustotal: Detection: 56%	Perma Link
Source: CU3e1CWzlr.exe	Metadefender: Detection: 32%	Perma Link
Source: CU3e1CWzlr.exe	ReversingLabs: Detection: 72%

Yara detected Nanocore RAT

Source: Yara match	File source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: C:\Quotation.exe, type: DROPPED
Source: Yara match	File source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Quotation.sfx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Quotation.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CU3e1CWzlr.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.2.Quotation.exe.390000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.Quotation.exe.5440000.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 11.2.dhcpmon.exe.860000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Quotation.exe.390000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.Quotation.exe.160000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.dhcpmon.exe.860000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.dhcpmon.exe.aa0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.Quotation.exe.160000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.dhcpmon.exe.aa0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: CU3e1CWzlr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Quotation.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CU3e1CWzlr.exe
Source:	Binary string: rlib.pdbLE=C:\( source: Quotation.exe, 00000005.00000002.466255893.0000000000930000.00000004.00000040.sdmp
Source:	Binary string: ib.pdb>r source: Quotation.exe, 00000005.00000002.466500509.000000000099C000.00000004.00000020.sdmp
Source:	Binary string: mscorrc.pdb source: Quotation.exe, 00000005.00000002.471858853.0000000005150000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CCA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00CCA2C3
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CE7D69 FindFirstFileExA,	0_2_00CE7D69
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CDA536
Source: C:\Quotation.sfx.exe	Code function: 4_2_0034A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0034A2C3
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0035A536
Source: C:\Quotation.sfx.exe	Code function: 4_2_00367D69 FindFirstFileExA,	4_2_00367D69

Source: Malware configuration extractor	URLs: 185.244.26.250
Source: Malware configuration extractor	URLs: oleg321.ddns.net

Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174
Source: unknown	UDP traffic detected without corresponding DNS query: 37.235.1.174

Source: 00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Quotation.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Quotation.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Quotation.exe.2a33808.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.dhcpmon.exe.3223dc4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Quotation.exe.2781718.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.2fa3dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Quotation.exe.51b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Source: C:\Quotation.exe	Code function: 5_2_04A816DA NtQuerySystemInformation,		5_2_04A816DA
Source: C:\Quotation.exe	Code function: 5_2_04A8169F NtQuerySystemInformation,		5_2_04A8169F

Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CD5983	0_2_00CD5983
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CC83EB	0_2_00CC83EB
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CEE8D4	0_2_00CEE8D4
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDE8EC	0_2_00CDE8EC
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CD30E5	0_2_00CD30E5
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CCE097	0_2_00CCE097
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CC31F0	0_2_00CC31F0
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CCBA6A	0_2_00CCBA6A
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDFA6A	0_2_00CDFA6A
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDF200	0_2_00CDF200
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CCD222	0_2_00CCD222
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CD63F1	0_2_00CD63F1
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CEA350	0_2_00CEA350
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CE2B68	0_2_00CE2B68
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CD2B39	0_2_00CD2B39
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CCECE9	0_2_00CCECE9
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CCDC32	0_2_00CCDC32
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDEDE8	0_2_00CDEDE8
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CD5DB8	0_2_00CD5DB8
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CD2DB4	0_2_00CD2DB4
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CC5E83	0_2_00CC5E83
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CE9EA0	0_2_00CE9EA0
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CCD634	0_2_00CCD634
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDF635	0_2_00CDF635
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CC3F95	0_2_00CC3F95
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CD4FB4	0_2_00CD4FB4
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CC2759	0_2_00CC2759
Source: C:\Quotation.sfx.exe	Code function: 4_2_00355983	4_2_00355983
Source: C:\Quotation.sfx.exe	Code function: 4_2_003483EB	4_2_003483EB
Source: C:\Quotation.sfx.exe	Code function: 4_2_0034E097	4_2_0034E097
Source: C:\Quotation.sfx.exe	Code function: 4_2_003530E5	4_2_003530E5
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035E8EC	4_2_0035E8EC
Source: C:\Quotation.sfx.exe	Code function: 4_2_0036E8D4	4_2_0036E8D4
Source: C:\Quotation.sfx.exe	Code function: 4_2_003431F0	4_2_003431F0
Source: C:\Quotation.sfx.exe	Code function: 4_2_0034D222	4_2_0034D222
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035F200	4_2_0035F200
Source: C:\Quotation.sfx.exe	Code function: 4_2_0034BA6A	4_2_0034BA6A
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035FA6A	4_2_0035FA6A
Source: C:\Quotation.sfx.exe	Code function: 4_2_00352B39	4_2_00352B39
Source: C:\Quotation.sfx.exe	Code function: 4_2_00362B68	4_2_00362B68
Source: C:\Quotation.sfx.exe	Code function: 4_2_0036A350	4_2_0036A350
Source: C:\Quotation.sfx.exe	Code function: 4_2_003563F1	4_2_003563F1
Source: C:\Quotation.sfx.exe	Code function: 4_2_0034DC32	4_2_0034DC32
Source: C:\Quotation.sfx.exe	Code function: 4_2_0034ECE9	4_2_0034ECE9
Source: C:\Quotation.sfx.exe	Code function: 4_2_00352DB4	4_2_00352DB4
Source: C:\Quotation.sfx.exe	Code function: 4_2_00355DB8	4_2_00355DB8
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035EDE8	4_2_0035EDE8
Source: C:\Quotation.sfx.exe	Code function: 4_2_0034D634	4_2_0034D634
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035F635	4_2_0035F635
Source: C:\Quotation.sfx.exe	Code function: 4_2_00369EA0	4_2_00369EA0
Source: C:\Quotation.sfx.exe	Code function: 4_2_00345E83	4_2_00345E83
Source: C:\Quotation.sfx.exe	Code function: 4_2_00342759	4_2_00342759
Source: C:\Quotation.sfx.exe	Code function: 4_2_00354FB4	4_2_00354FB4
Source: C:\Quotation.sfx.exe	Code function: 4_2_00343F95	4_2_00343F95
Source: C:\Quotation.exe	Code function: 5_2_0016524A	5_2_0016524A
Source: C:\Quotation.exe	Code function: 5_2_00882479	5_2_00882479
Source: C:\Quotation.exe	Code function: 5_2_00897AC1	5_2_00897AC1
Source: C:\Quotation.exe	Code function: 5_2_04963850	5_2_04963850
Source: C:\Quotation.exe	Code function: 5_2_049689D8	5_2_049689D8
Source: C:\Quotation.exe	Code function: 5_2_0496B2A8	5_2_0496B2A8
Source: C:\Quotation.exe	Code function: 5_2_049623A0	5_2_049623A0
Source: C:\Quotation.exe	Code function: 5_2_04962FA8	5_2_04962FA8
Source: C:\Quotation.exe	Code function: 5_2_049698EB	5_2_049698EB
Source: C:\Quotation.exe	Code function: 5_2_0496306F	5_2_0496306F
Source: C:\Quotation.exe	Code function: 5_2_049695D8	5_2_049695D8
Source: C:\Quotation.exe	Code function: 5_2_0496969F	5_2_0496969F
Source: C:\Quotation.exe	Code function: 10_2_0039524A	10_2_0039524A
Source: C:\Quotation.exe	Code function: 10_2_02593850	10_2_02593850
Source: C:\Quotation.exe	Code function: 10_2_02592FA8	10_2_02592FA8
Source: C:\Quotation.exe	Code function: 10_2_025923A0	10_2_025923A0
Source: C:\Quotation.exe	Code function: 10_2_0259306F	10_2_0259306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_0086524A	11_2_0086524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02BE2FA8	11_2_02BE2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02BE23A0	11_2_02BE23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02BE3850	11_2_02BE3850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02BE306F	11_2_02BE306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00AA524A	12_2_00AA524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_014F2FA8	12_2_014F2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_014F23A0	12_2_014F23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_014F306F	12_2_014F306F

Source: C:\Quotation.sfx.exe	Code function: String function: 0035CDF0 appears 37 times
Source: C:\Quotation.sfx.exe	Code function: String function: 0035D810 appears 31 times
Source: C:\Quotation.sfx.exe	Code function: String function: 0035CEC0 appears 53 times
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: String function: 00CDCDF0 appears 37 times
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: String function: 00CDCEC0 appears 53 times
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: String function: 00CDD810 appears 31 times

Source: CU3e1CWzlr.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CU3e1CWzlr.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Quotation.sfx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Quotation.sfx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CU3e1CWzlr.exe, 00000000.00000002.201501099.00000000053A0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs CU3e1CWzlr.exe
Source: CU3e1CWzlr.exe, 00000000.00000002.201651304.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs CU3e1CWzlr.exe
Source: CU3e1CWzlr.exe, 00000000.00000002.201651304.00000000054A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CU3e1CWzlr.exe
Source: CU3e1CWzlr.exe, 00000000.00000002.201368998.0000000003100000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CU3e1CWzlr.exe

Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Quotation.sfx.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Quotation.sfx.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Quotation.sfx.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Quotation.sfx.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Quotation.sfx.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Quotation.sfx.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: Quotation.exe.4.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00033291903
Source: dhcpmon.exe.5.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00033291903

Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Quotation.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Quotation.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Quotation.exe	Code function: 5_2_04A8149A AdjustTokenPrivileges,		5_2_04A8149A
Source: C:\Quotation.exe	Code function: 5_2_04A81463 AdjustTokenPrivileges,		5_2_04A81463

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Quotation.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Quotation.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{894ac765-a5c8-42af-bb6a-ac66f210ce48}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_01

Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Command line argument: sfxname	0_2_00CDC130
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Command line argument: sfxstime	0_2_00CDC130
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Command line argument: STARTDLG	0_2_00CDC130
Source: C:\Quotation.sfx.exe	Command line argument: *x9	4_2_0035C130
Source: C:\Quotation.sfx.exe	Command line argument: *a8	4_2_0035C130
Source: C:\Quotation.sfx.exe	Command line argument: 8y9	4_2_0035C130
Source: C:\Quotation.sfx.exe	Command line argument: sfxname	4_2_0035C130
Source: C:\Quotation.sfx.exe	Command line argument: sfxstime	4_2_0035C130
Source: C:\Quotation.sfx.exe	Command line argument: STARTDLG	4_2_0035C130

Source: C:\Quotation.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Quotation.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Quotation.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Quotation.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CU3e1CWzlr.exe 'C:\Users\user\Desktop\CU3e1CWzlr.exe'
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\1.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Quotation.sfx.exe Quotation.sfx.exe -p123 dc:\
Source: C:\Quotation.sfx.exe	Process created: C:\Quotation.exe 'C:\Quotation.exe'
Source: C:\Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Quotation.exe C:\Quotation.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\1.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Quotation.sfx.exe Quotation.sfx.exe -p123 dc:\	Jump to behavior
Source: C:\Quotation.sfx.exe	Process created: C:\Quotation.exe 'C:\Quotation.exe'	Jump to behavior
Source: C:\Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp'	Jump to behavior
Source: C:\Quotation.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp'	Jump to behavior

Source: CU3e1CWzlr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CU3e1CWzlr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CU3e1CWzlr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CU3e1CWzlr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CU3e1CWzlr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CU3e1CWzlr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Analysis Report CU3e1CWzlr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: CU3e1CWzlr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CU3e1CWzlr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CU3e1CWzlr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CU3e1CWzlr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CU3e1CWzlr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Quotation.exe.4.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.5.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDD856 push ecx; ret	0_2_00CDD869
Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Code function: 0_2_00CDCDF0 push eax; ret	0_2_00CDCE0E
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035D856 push ecx; ret	4_2_0035D869
Source: C:\Quotation.sfx.exe	Code function: 4_2_0035CDF0 push eax; ret	4_2_0035CE0E
Source: C:\Quotation.exe	Code function: 5_2_008932FC push eax; iretd	5_2_008932FD
Source: C:\Quotation.exe	Code function: 5_2_00899D78 pushad ; retf	5_2_00899D79
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_02DB0000 push ss; retf	12_2_02DB0001
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_02DB063B pushfd ; retf	12_2_02DB0639
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_02DB0638 pushfd ; retf	12_2_02DB0639

Source: Quotation.exe.4.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: Quotation.exe.4.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.5.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.5.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	File created: C:\Quotation.sfx.exe	Jump to dropped file
Source: C:\Quotation.sfx.exe	File created: C:\Quotation.exe	Jump to dropped file
Source: C:\Quotation.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Source: C:\Users\user\Desktop\CU3e1CWzlr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.sfx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Quotation.exe TID: 6612	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Quotation.exe TID: 6608	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Quotation.exe TID: 6668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Quotation.exe, 00000005.00000003.427330798.0000000000A1F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Quotation.exe, 00000005.00000003.427330798.0000000000A1F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.