Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report CU3e1CWzlr.exe

Overview

General Information

Sample Name:CU3e1CWzlr.exe
Analysis ID:383199
MD5:bc906f26edfec13cdb13d8a6b97f344b
SHA1:33933248690d87f77693865e7393395ec2ea3792
SHA256:23ac7754b6ad5fc382857b05ad514a716cd3dcf861867d3be02a5a92ca7fe067
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CU3e1CWzlr.exe (PID: 6072 cmdline: 'C:\Users\user\Desktop\CU3e1CWzlr.exe' MD5: BC906F26EDFEC13CDB13D8A6B97F344B)
    • cmd.exe (PID: 6240 cmdline: C:\Windows\system32\cmd.exe /c ''C:\1.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Quotation.sfx.exe (PID: 6312 cmdline: Quotation.sfx.exe -p123 dc:\ MD5: 9C30B408BBF38395C4BB213682044B68)
        • Quotation.exe (PID: 6488 cmdline: 'C:\Quotation.exe' MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
          • schtasks.exe (PID: 6512 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 6568 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Quotation.exe (PID: 6636 cmdline: C:\Quotation.exe 0 MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
  • dhcpmon.exe (PID: 6656 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
  • dhcpmon.exe (PID: 6872 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: C83BD9093E7AE550FC49FDC1A90B7F9E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "894ac765-a5c8-42af-bb6a-ac66f210", "Group": "Default", "Domain1": "185.244.26.250", "Domain2": "oleg321.ddns.net", "Port": 3231, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    C:\Quotation.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 3 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 50 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.dhcpmon.exe.3fd311d.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0x24178:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      • 0x241a5:$x2: IClientNetworkHost
      11.2.dhcpmon.exe.3fd311d.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0x24178:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0x25253:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      • 0x24192:$s5: IClientLoggingHost
      11.2.dhcpmon.exe.3fd311d.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.dhcpmon.exe.424eaf4.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0x287a1:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        • 0x287ce:$x2: IClientNetworkHost
        12.2.dhcpmon.exe.424eaf4.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xf7ad:$x2: NanoCore.ClientPluginHost
        • 0x287a1:$x2: NanoCore.ClientPluginHost
        • 0x10888:$s4: PipeCreated
        • 0x2987c:$s4: PipeCreated
        • 0xf7c7:$s5: IClientLoggingHost
        • 0x287bb:$s5: IClientLoggingHost
        Click to see the 98 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Quotation.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Quotation.exe' , ParentImage: C:\Quotation.exe, ParentProcessId: 6488, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp', ProcessId: 6512

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
        Source: C:\Quotation.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
        Found malware configurationShow sources
        Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "894ac765-a5c8-42af-bb6a-ac66f210", "Group": "Default", "Domain1": "185.244.26.250", "Domain2": "oleg321.ddns.net", "Port": 3231, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 86%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
        Source: C:\Quotation.exeMetadefender: Detection: 86%Perma Link
        Source: C:\Quotation.exeReversingLabs: Detection: 100%
        Source: C:\Quotation.sfx.exeMetadefender: Detection: 27%Perma Link
        Source: C:\Quotation.sfx.exeReversingLabs: Detection: 75%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CU3e1CWzlr.exeVirustotal: Detection: 56%Perma Link
        Source: CU3e1CWzlr.exeMetadefender: Detection: 32%Perma Link
        Source: CU3e1CWzlr.exeReversingLabs: Detection: 72%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
        Source: Yara matchFile source: C:\Quotation.exe, type: DROPPED
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Quotation.sfx.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Quotation.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CU3e1CWzlr.exeJoe Sandbox ML: detected
        Source: 10.2.Quotation.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.Quotation.exe.5440000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: 11.2.dhcpmon.exe.860000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.Quotation.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.Quotation.exe.160000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.860000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.dhcpmon.exe.aa0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.0.Quotation.exe.160000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.aa0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: CU3e1CWzlr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Quotation.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: CU3e1CWzlr.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CU3e1CWzlr.exe
        Source: Binary string: rlib.pdbLE=C:\( source: Quotation.exe, 00000005.00000002.466255893.0000000000930000.00000004.00000040.sdmp
        Source: Binary string: ib.pdb>r source: Quotation.exe, 00000005.00000002.466500509.000000000099C000.00000004.00000020.sdmp
        Source: Binary string: mscorrc.pdb source: Quotation.exe, 00000005.00000002.471858853.0000000005150000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE7D69 FindFirstFileExA,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
        Source: C:\Quotation.sfx.exeCode function: 4_2_00367D69 FindFirstFileExA,

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 185.244.26.250
        Source: Malware configuration extractorURLs: oleg321.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: oleg321.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49717 -> 185.244.26.250:3231
        Source: Joe Sandbox ViewASN Name: VAMU-ASIP-TRANSITVAMURU VAMU-ASIP-TRANSITVAMURU
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownUDP traffic detected without corresponding DNS query: 37.235.1.174
        Source: unknownDNS traffic detected: queries for: oleg321.ddns.net
        Source: Quotation.exe, 00000005.00000002.466405596.000000000096B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Quotation.exe, 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
        Source: Yara matchFile source: C:\Quotation.exe, type: DROPPED
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Quotation.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Quotation.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Quotation.exe.2a33808.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3223dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.Quotation.exe.2781718.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.2fa3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.Quotation.exe.51b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Quotation.exeCode function: 5_2_04A816DA NtQuerySystemInformation,
        Source: C:\Quotation.exeCode function: 5_2_04A8169F NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CC7070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD5983
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CC83EB
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CEE8D4
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDE8EC
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD30E5
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCE097
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CC31F0
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCBA6A
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDFA6A
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDF200
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCD222
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD63F1
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CEA350
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE2B68
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD2B39
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCECE9
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCDC32
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDEDE8
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD5DB8
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD2DB4
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CC5E83
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE9EA0
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCD634
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDF635
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CC3F95
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD4FB4
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CC2759
        Source: C:\Quotation.sfx.exeCode function: 4_2_00355983
        Source: C:\Quotation.sfx.exeCode function: 4_2_003483EB
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034E097
        Source: C:\Quotation.sfx.exeCode function: 4_2_003530E5
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035E8EC
        Source: C:\Quotation.sfx.exeCode function: 4_2_0036E8D4
        Source: C:\Quotation.sfx.exeCode function: 4_2_003431F0
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034D222
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035F200
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034BA6A
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035FA6A
        Source: C:\Quotation.sfx.exeCode function: 4_2_00352B39
        Source: C:\Quotation.sfx.exeCode function: 4_2_00362B68
        Source: C:\Quotation.sfx.exeCode function: 4_2_0036A350
        Source: C:\Quotation.sfx.exeCode function: 4_2_003563F1
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034DC32
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034ECE9
        Source: C:\Quotation.sfx.exeCode function: 4_2_00352DB4
        Source: C:\Quotation.sfx.exeCode function: 4_2_00355DB8
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035EDE8
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034D634
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035F635
        Source: C:\Quotation.sfx.exeCode function: 4_2_00369EA0
        Source: C:\Quotation.sfx.exeCode function: 4_2_00345E83
        Source: C:\Quotation.sfx.exeCode function: 4_2_00342759
        Source: C:\Quotation.sfx.exeCode function: 4_2_00354FB4
        Source: C:\Quotation.sfx.exeCode function: 4_2_00343F95
        Source: C:\Quotation.exeCode function: 5_2_0016524A
        Source: C:\Quotation.exeCode function: 5_2_00882479
        Source: C:\Quotation.exeCode function: 5_2_00897AC1
        Source: C:\Quotation.exeCode function: 5_2_04963850
        Source: C:\Quotation.exeCode function: 5_2_049689D8
        Source: C:\Quotation.exeCode function: 5_2_0496B2A8
        Source: C:\Quotation.exeCode function: 5_2_049623A0
        Source: C:\Quotation.exeCode function: 5_2_04962FA8
        Source: C:\Quotation.exeCode function: 5_2_049698EB
        Source: C:\Quotation.exeCode function: 5_2_0496306F
        Source: C:\Quotation.exeCode function: 5_2_049695D8
        Source: C:\Quotation.exeCode function: 5_2_0496969F
        Source: C:\Quotation.exeCode function: 10_2_0039524A
        Source: C:\Quotation.exeCode function: 10_2_02593850
        Source: C:\Quotation.exeCode function: 10_2_02592FA8
        Source: C:\Quotation.exeCode function: 10_2_025923A0
        Source: C:\Quotation.exeCode function: 10_2_0259306F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0086524A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02BE2FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02BE23A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02BE3850
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02BE306F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00AA524A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_014F2FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_014F23A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_014F306F
        Source: C:\Quotation.sfx.exeCode function: String function: 0035CDF0 appears 37 times
        Source: C:\Quotation.sfx.exeCode function: String function: 0035D810 appears 31 times
        Source: C:\Quotation.sfx.exeCode function: String function: 0035CEC0 appears 53 times
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: String function: 00CDCDF0 appears 37 times
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: String function: 00CDCEC0 appears 53 times
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: String function: 00CDD810 appears 31 times
        Source: CU3e1CWzlr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: CU3e1CWzlr.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Quotation.sfx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Quotation.sfx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: CU3e1CWzlr.exe, 00000000.00000002.201501099.00000000053A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CU3e1CWzlr.exe
        Source: CU3e1CWzlr.exe, 00000000.00000002.201651304.00000000054A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CU3e1CWzlr.exe
        Source: CU3e1CWzlr.exe, 00000000.00000002.201651304.00000000054A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CU3e1CWzlr.exe
        Source: CU3e1CWzlr.exe, 00000000.00000002.201368998.0000000003100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CU3e1CWzlr.exe
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeSection loaded: dxgidebug.dll
        Source: C:\Quotation.sfx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Quotation.sfx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Quotation.sfx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
        Source: C:\Quotation.sfx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
        Source: C:\Quotation.sfx.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
        Source: C:\Quotation.sfx.exeSection loaded: dxgidebug.dll
        Source: CU3e1CWzlr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Quotation.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: C:\Quotation.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: C:\Quotation.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Quotation.exe.2a33808.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Quotation.exe.2a33808.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3223dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3223dc4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.Quotation.exe.2781718.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.2781718.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.2fa3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.2fa3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.Quotation.exe.51b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.51b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Quotation.exe.4.drStatic PE information: Section: .rsrc ZLIB complexity 1.00033291903
        Source: dhcpmon.exe.5.drStatic PE information: Section: .rsrc ZLIB complexity 1.00033291903
        Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: Quotation.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: Quotation.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: dhcpmon.exe.5.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/10@9/1
        Source: C:\Quotation.exeCode function: 5_2_04A8149A AdjustTokenPrivileges,
        Source: C:\Quotation.exeCode function: 5_2_04A81463 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CD8BCF FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
        Source: C:\Quotation.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Quotation.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
        Source: C:\Quotation.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Quotation.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{894ac765-a5c8-42af-bb6a-ac66f210ce48}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_01
        Source: C:\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA16B.tmpJump to behavior
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\1.bat' '
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCommand line argument: sfxname
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCommand line argument: sfxstime
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCommand line argument: STARTDLG
        Source: C:\Quotation.sfx.exeCommand line argument: *x9
        Source: C:\Quotation.sfx.exeCommand line argument: *a8
        Source: C:\Quotation.sfx.exeCommand line argument: 8y9
        Source: C:\Quotation.sfx.exeCommand line argument: sfxname
        Source: C:\Quotation.sfx.exeCommand line argument: sfxstime
        Source: C:\Quotation.sfx.exeCommand line argument: STARTDLG
        Source: CU3e1CWzlr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Quotation.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Quotation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Quotation.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Quotation.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: CU3e1CWzlr.exeVirustotal: Detection: 56%
        Source: CU3e1CWzlr.exeMetadefender: Detection: 32%
        Source: CU3e1CWzlr.exeReversingLabs: Detection: 72%
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeFile read: C:\Users\user\Desktop\CU3e1CWzlr.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\CU3e1CWzlr.exe 'C:\Users\user\Desktop\CU3e1CWzlr.exe'
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\1.bat' '
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Quotation.sfx.exe Quotation.sfx.exe -p123 dc:\
        Source: C:\Quotation.sfx.exeProcess created: C:\Quotation.exe 'C:\Quotation.exe'
        Source: C:\Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Quotation.exe C:\Quotation.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\1.bat' '
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Quotation.sfx.exe Quotation.sfx.exe -p123 dc:\
        Source: C:\Quotation.sfx.exeProcess created: C:\Quotation.exe 'C:\Quotation.exe'
        Source: C:\Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp'
        Source: C:\Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp'
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Quotation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Quotation.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: CU3e1CWzlr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: CU3e1CWzlr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: CU3e1CWzlr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: CU3e1CWzlr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: CU3e1CWzlr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: CU3e1CWzlr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: CU3e1CWzlr.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: CU3e1CWzlr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: CU3e1CWzlr.exe
        Source: Binary string: rlib.pdbLE=C:\( source: Quotation.exe, 00000005.00000002.466255893.0000000000930000.00000004.00000040.sdmp
        Source: Binary string: ib.pdb>r source: Quotation.exe, 00000005.00000002.466500509.000000000099C000.00000004.00000020.sdmp
        Source: Binary string: mscorrc.pdb source: Quotation.exe, 00000005.00000002.471858853.0000000005150000.00000002.00000001.sdmp
        Source: CU3e1CWzlr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: CU3e1CWzlr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: CU3e1CWzlr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: CU3e1CWzlr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: CU3e1CWzlr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: Quotation.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: Quotation.exe.4.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.5.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.5.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeFile created: C:\\__tmp_rar_sfx_access_check_3772593Jump to behavior
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDD856 push ecx; ret
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDCDF0 push eax; ret
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035D856 push ecx; ret
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035CDF0 push eax; ret
        Source: C:\Quotation.exeCode function: 5_2_008932FC push eax; iretd
        Source: C:\Quotation.exeCode function: 5_2_00899D78 pushad ; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02DB0000 push ss; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02DB063B pushfd ; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02DB0638 pushfd ; retf
        Source: Quotation.exe.4.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: Quotation.exe.4.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: dhcpmon.exe.5.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: dhcpmon.exe.5.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.Quotation.exe.160000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.0.Quotation.exe.160000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.2.Quotation.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.0.Quotation.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.dhcpmon.exe.860000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.0.dhcpmon.exe.860000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.dhcpmon.exe.aa0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.0.dhcpmon.exe.aa0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeFile created: C:\Quotation.sfx.exeJump to dropped file
        Source: C:\Quotation.sfx.exeFile created: C:\Quotation.exeJump to dropped file
        Source: C:\Quotation.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Quotation.exeFile opened: C:\Quotation.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.sfx.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Quotation.sfx.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Quotation.exeThread delayed: delay time: 922337203685477
        Source: C:\Quotation.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Quotation.exeWindow / User API: foregroundWindowGot 994
        Source: C:\Quotation.exe TID: 6612Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Quotation.exe TID: 6608Thread sleep time: -240000s >= -30000s
        Source: C:\Quotation.exe TID: 6668Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6684Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6904Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE7D69 FindFirstFileExA,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
        Source: C:\Quotation.sfx.exeCode function: 4_2_0034A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
        Source: C:\Quotation.sfx.exeCode function: 4_2_00367D69 FindFirstFileExA,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDC8D4 VirtualQuery,GetSystemInfo,
        Source: C:\Quotation.exeThread delayed: delay time: 922337203685477
        Source: C:\Quotation.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: Quotation.exe, 00000005.00000003.427330798.0000000000A1F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: Quotation.exe, 00000005.00000003.427330798.0000000000A1F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
        Source: Quotation.exe, 00000005.00000002.472305025.0000000005E40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Quotation.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDDA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE49FA mov eax, dword ptr fs:[00000030h]
        Source: C:\Quotation.sfx.exeCode function: 4_2_003649FA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE8A9B GetProcessHeap,
        Source: C:\Quotation.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDDB63 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDDA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CE5B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDDD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035DB63 SetUnhandledExceptionFilter,
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035DA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Quotation.sfx.exeCode function: 4_2_00365B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Quotation.sfx.exeCode function: 4_2_0035DD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Quotation.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\1.bat' '
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Quotation.sfx.exe Quotation.sfx.exe -p123 dc:\
        Source: C:\Quotation.sfx.exeProcess created: C:\Quotation.exe 'C:\Quotation.exe'
        Source: C:\Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp'
        Source: C:\Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp'
        Source: Quotation.exe, 00000005.00000003.427330798.0000000000A1F000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: Quotation.exe, 00000005.00000002.466991941.0000000000EF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Quotation.exe, 00000005.00000002.466991941.0000000000EF0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Quotation.exe, 00000005.00000002.470611593.00000000029D8000.00000004.00000001.sdmpBinary or memory string: Program Manager8
        Source: Quotation.exe, 00000005.00000003.427330798.0000000000A1F000.00000004.00000001.sdmpBinary or memory string: Program ManagerS
        Source: Quotation.exe, 00000005.00000002.466991941.0000000000EF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: Quotation.exe, 00000005.00000003.245333599.0000000000A1F000.00000004.00000001.sdmpBinary or memory string: Program Managert$
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDD86B cpuid
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: GetLocaleInfoW,GetNumberFormatW,
        Source: C:\Quotation.sfx.exeCode function: GetLocaleInfoW,GetNumberFormatW,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CDC130 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,
        Source: C:\Quotation.exeCode function: 5_2_0088AF9A GetUserNameW,
        Source: C:\Users\user\Desktop\CU3e1CWzlr.exeCode function: 0_2_00CCA930 GetVersionExW,
        Source: C:\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
        Source: Yara matchFile source: C:\Quotation.exe, type: DROPPED
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Quotation.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: Quotation.exe, 00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: Quotation.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: Quotation.exe, 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe.5.drString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6488, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6872, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation.exe PID: 6636, type: MEMORY
        Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
        Source: Yara matchFile source: C:\Quotation.exe, type: DROPPED
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fd311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4249cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a59cbe.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.390000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fceaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37beaf4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.860000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.425311d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.424eaf4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3fc9cbe.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5444629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.5440000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37b9cbe.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation.exe.37c311d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.0.Quotation.exe.160000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a5eaf4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.aa0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Quotation.exe.3a6311d.2.raw.unpack, type: UNPACKEDPE
        Source: C:\Quotation.exeCode function: 5_2_04A8292E bind,
        Source: C:\Quotation.exeCode function: 5_2_04A828FB bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsScheduled Task/Job1Logon Script (Windows)Process Injection12Scripting1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Obfuscated Files or Information2NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsSecurity Software Discovery131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading2DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 383199 Sample: CU3e1CWzlr.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 11 other signatures 2->62 10 CU3e1CWzlr.exe 4 2->10         started        13 Quotation.exe 3 2->13         started        15 dhcpmon.exe 3 2->15         started        17 dhcpmon.exe 2 2->17         started        process3 file4 42 C:\Quotation.sfx.exe, PE32 10->42 dropped 19 cmd.exe 1 10->19         started        44 C:\Users\user\AppData\...\Quotation.exe.log, ASCII 13->44 dropped 46 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 15->46 dropped process5 process6 21 Quotation.sfx.exe 3 19->21         started        25 conhost.exe 19->25         started        file7 40 C:\Quotation.exe, PE32 21->40 dropped 64 Multi AV Scanner detection for dropped file 21->64 66 Machine Learning detection for dropped file 21->66 27 Quotation.exe 1 13 21->27         started        signatures8 process9 dnsIp10 54 oleg321.ddns.net 185.244.26.250, 3231, 49720, 49730 VAMU-ASIP-TRANSITVAMURU Netherlands 27->54 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->48 dropped 50 C:\Users\user\AppData\Roaming\...\run.dat, data 27->50 dropped 52 C:\Users\user\AppData\Local\...\tmpA16B.tmp, XML 27->52 dropped 68 Antivirus detection for dropped file 27->68 70 Multi AV Scanner detection for dropped file 27->70 72 Machine Learning detection for dropped file 27->72 74 2 other signatures 27->74 32 schtasks.exe 1 27->32         started        34 schtasks.exe 1 27->34         started        file11 signatures12 process13 process14 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        CU3e1CWzlr.exe57%VirustotalBrowse
        CU3e1CWzlr.exe35%MetadefenderBrowse
        CU3e1CWzlr.exe73%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
        CU3e1CWzlr.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
        C:\Quotation.exe100%AviraTR/Dropper.MSIL.Gen7
        C:\Quotation.sfx.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Quotation.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe86%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
        C:\Quotation.exe86%MetadefenderBrowse
        C:\Quotation.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
        C:\Quotation.sfx.exe32%MetadefenderBrowse
        C:\Quotation.sfx.exe76%ReversingLabsByteCode-MSIL.Backdoor.NanoCore

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        10.2.Quotation.exe.390000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.2.Quotation.exe.5440000.8.unpack100%AviraTR/NanoCore.fadteDownload File
        11.2.dhcpmon.exe.860000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.0.Quotation.exe.390000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.2.Quotation.exe.160000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.dhcpmon.exe.860000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.dhcpmon.exe.aa0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        5.0.Quotation.exe.160000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.aa0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        185.244.26.2500%VirustotalBrowse
        185.244.26.2500%Avira URL Cloudsafe
        oleg321.ddns.net0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        oleg321.ddns.net
        		185.244.26.250
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          185.244.26.250true
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          oleg321.ddns.nettrue
          • Avira URL Cloud: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          185.244.26.250
          		oleg321.ddns.netNetherlands
          		47158VAMU-ASIP-TRANSITVAMURUtrue

          General Information

          Joe Sandbox Version:31.0.0 Emerald
          Analysis ID:383199
          Start date:07.04.2021
          Start time:13:11:11
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 12m 1s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:CU3e1CWzlr.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:35
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@18/10@9/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 99.8% (good quality ratio 95.5%)
          • Quality average: 79.5%
          • Quality standard deviation: 27.2%
          HCA Information:
          • Successful, ratio: 70%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          13:12:03Task SchedulerRun new task: DHCP Monitor path: "C:\Quotation.exe" s>$(Arg0)
          13:12:03API Interceptor1012x Sleep call for process: Quotation.exe modified
          13:12:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          13:12:04Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          VAMU-ASIP-TRANSITVAMURUodW62S0306.exeGet hashmaliciousBrowse
          • 185.244.26.204
          ORDEN.exeGet hashmaliciousBrowse
          • 185.244.26.196
          sB2ppXd9nd1DsMC.exeGet hashmaliciousBrowse
          • 185.244.26.241
          2CBPOfVTs5QeG8Z.exeGet hashmaliciousBrowse
          • 185.244.26.208
          i5TiYkAYkWJy1O8.exeGet hashmaliciousBrowse
          • 185.244.26.208
          NEW ORDERS.exeGet hashmaliciousBrowse
          • 185.244.26.227
          DHL STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
          • 185.244.26.194
          DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.exeGet hashmaliciousBrowse
          • 185.244.26.221
          sf_express_waybill_parcelArrival.docx.exeGet hashmaliciousBrowse
          • 185.244.26.221
          COVID-19 CDC Secon Outbreak Warning release.exeGet hashmaliciousBrowse
          • 185.244.26.221
          Kaszfnrcg7.exeGet hashmaliciousBrowse
          • 185.244.26.213
          Inv No.5200003959 (FL).exeGet hashmaliciousBrowse
          • 185.244.26.247
          CDC GUIDES COVID-19 Second Outbreak Warning release.exeGet hashmaliciousBrowse
          • 185.244.26.221
          85RNPseqgJ.exeGet hashmaliciousBrowse
          • 185.244.26.206
          Olzcqxcxnf9.exeGet hashmaliciousBrowse
          • 185.244.26.213
          R1MfM3z2Nz.exeGet hashmaliciousBrowse
          • 185.244.26.206
          Fh06tuCZaK.exeGet hashmaliciousBrowse
          • 185.244.26.206
          AlTKG0L5d8.exeGet hashmaliciousBrowse
          • 185.244.26.206
          Rbmmuoavjkz8.exeGet hashmaliciousBrowse
          • 185.244.26.213
          PO 6300019918..exeGet hashmaliciousBrowse
          • 185.244.26.206

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\1.bat
          Process:C:\Users\user\Desktop\CU3e1CWzlr.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):28
          Entropy (8bit):4.378783493486176
          Encrypted:false
          SSDEEP:3:pSeEJNFIVUGCf5:WNyVUGCf5
          MD5:31C145900B71996E1EF9D60F37899282
          SHA1:C6CE32DD6F468585A47AB317D5FBC14643F04BAE
          SHA-256:64A6B58057E1FAF070B6757CB96699E6037079013D2F6103C146EC14C0788014
          SHA-512:C93AE9E6EF4CF26A07D4C610A9FF66C27C822A98F48F858E671959209CFEE6DC65C9862DF33285D397FBBAB18E6D162596F4FCBBC939ADEF9D65C91D5E47C235
          Malicious:false
          Reputation:low
          Preview: Quotation.sfx.exe -p123 dc:\
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Process:C:\Quotation.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):207872
          Entropy (8bit):7.45145986611402
          Encrypted:false
          SSDEEP:3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPhO1RxN+dAu8imqhVPd63DfOM:MLV6Bta6dtJmakIM5ewC86hV1UfUgrTJ
          MD5:C83BD9093E7AE550FC49FDC1A90B7F9E
          SHA1:59E77D7E3C293A81C1113EF21B93F0D2792CF0D2
          SHA-256:C3E6B1EB9B5B402489CA89A617577E0794E3B6D6A542AD11B43F9D37F0664622
          SHA-512:0812172CA01847BA1161A7A82D93E25B132D311B085EE643D915F0168A7333BBE8E77830D726A2E037744FCA24EC0285E36B017BC9CF28C4668CAACA52800532
          Malicious:true
          Yara Hits:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Metadefender, Detection: 86%, Browse
          • Antivirus: ReversingLabs, Detection: 100%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. ......................................................................8...W.... ..._........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...._... ...`..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
          C:\Quotation.exe
          Process:C:\Quotation.sfx.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:modified
          Size (bytes):207872
          Entropy (8bit):7.45145986611402
          Encrypted:false
          SSDEEP:3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIPhO1RxN+dAu8imqhVPd63DfOM:MLV6Bta6dtJmakIM5ewC86hV1UfUgrTJ
          MD5:C83BD9093E7AE550FC49FDC1A90B7F9E
          SHA1:59E77D7E3C293A81C1113EF21B93F0D2792CF0D2
          SHA-256:C3E6B1EB9B5B402489CA89A617577E0794E3B6D6A542AD11B43F9D37F0664622
          SHA-512:0812172CA01847BA1161A7A82D93E25B132D311B085EE643D915F0168A7333BBE8E77830D726A2E037744FCA24EC0285E36B017BC9CF28C4668CAACA52800532
          Malicious:true
          Yara Hits:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Quotation.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Quotation.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Quotation.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Quotation.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Metadefender, Detection: 86%, Browse
          • Antivirus: ReversingLabs, Detection: 100%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. ......................................................................8...W.... ..._........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...._... ...`..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
          C:\Quotation.sfx.exe
          Process:C:\Users\user\Desktop\CU3e1CWzlr.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:modified
          Size (bytes):458627
          Entropy (8bit):7.315371843776508
          Encrypted:false
          SSDEEP:12288:9crNS33L10QdrXP/X+tGfn8uFLRw46p2ptRv:ANA3R5drXPrf8uXdbV
          MD5:9C30B408BBF38395C4BB213682044B68
          SHA1:05B0F3897EC86D4803B4E631A68AB86DDDC6CA54
          SHA-256:23748678A2C83CEE8C47A97C1263E57E3439F0E78141E2962966F59BAE87110A
          SHA-512:0480FDC58E4B5D8785CFEDE13C601E587EBA67968F117E678FFE893516B087C7057EF381B0DD246B61F5710EB06253CBAE7E1A712A4B3C98796954EFD5102213
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Metadefender, Detection: 32%, Browse
          • Antivirus: ReversingLabs, Detection: 76%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~............b......b..<....b.....)^......................................... ...... ......%...... ......Rich............PE..L......\............................Y.............@.......................................@.............................4......<....................................n..T...........................(...@...............\...L... ....................text...T........................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc........... ...x..............@..B................................................................................................................................................................................................................................................
          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Quotation.exe.log
          Process:C:\Quotation.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):525
          Entropy (8bit):5.2874233355119316
          Encrypted:false
          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
          MD5:61CCF53571C9ABA6511D696CB0D32E45
          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
          Malicious:true
          Reputation:high, very likely benign file
          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):525
          Entropy (8bit):5.2874233355119316
          Encrypted:false
          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
          MD5:61CCF53571C9ABA6511D696CB0D32E45
          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
          Malicious:true
          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
          C:\Users\user\AppData\Local\Temp\tmpA16B.tmp
          Process:C:\Quotation.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1279
          Entropy (8bit):5.075594439226328
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK01xtn:cbk4oL600QydbQxIYODOLedq3cj
          MD5:020431D764EA265AB8462B9C69828063
          SHA1:257B24D0FF69B531CA5C0BA7E8D0A9CA208EEB9C
          SHA-256:F85E229E04B155C4E0B5C7788DD735FB17542CE2028B3441560B77B30BB35306
          SHA-512:A83EDADF38E8A2FE3AC31B0FBEA47BDDF693B5873E88BCE4E00739691AF1486A83F083C6D5A62C1CED1EACFA81702734B694DF0FA4246483C6B729A91CB6D472
          Malicious:true
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Local\Temp\tmpA45A.tmp
          Process:C:\Quotation.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1310
          Entropy (8bit):5.109425792877704
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
          Malicious:false
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Quotation.exe
          File Type:data
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:3UVt:a
          MD5:D6676EE740B651B46142810DB18B57F0
          SHA1:EE8AC1B50C1DE890E23B6B536AC43F7A7EE1E485
          SHA-256:25A1101CDA6648DBA36FE002068CAB8D886668E21D6D4776F1042B430F813981
          SHA-512:994EB04B85B4E2BE93A177E020382B24E32FC1B9C1CA6CF0257BCD823251596EF8C08166602034D4DCCCD38BB22699E6707B0038EC5DB51B46A4DB252D9C83A7
          Malicious:true
          Preview: .'.g...H
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
          Process:C:\Quotation.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):16
          Entropy (8bit):3.625
          Encrypted:false
          SSDEEP:3:oFMeNn:oFh
          MD5:CCF14158D80722DA582C415C0CD0C267
          SHA1:1EEA0355F97142D9C9B123C04A9855A00695FA96
          SHA-256:42A6CC1CA4FD2D7225F9D7ACB0243D15BAC13BB70D4B5716F55AFEED5551AF14
          SHA-512:B6D9CCBF825A1361C3AC2715EE7560D099645B532E2D2E9BECC5D69834D2F55E4D1D11854488E09A587D462F535A7E8DBD96434B1DC1AA2893D3726D9CFD9336
          Malicious:false
          Preview: C:\Quotation.exe

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.567706196816486
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:CU3e1CWzlr.exe
          File size:620007
          MD5:bc906f26edfec13cdb13d8a6b97f344b
          SHA1:33933248690d87f77693865e7393395ec2ea3792
          SHA256:23ac7754b6ad5fc382857b05ad514a716cd3dcf861867d3be02a5a92ca7fe067
          SHA512:cbeeaade944273775bc4a7f7a436599c5c7212ab7d2b864045424d8f69b0d91fb6e01fae7390f38f5dd119c3457d534ed4547c725e300ed8c6416e47d58549ae
          SSDEEP:12288:9crNS33L10QdrXP/X+tGfnYMOwYgc4T7fkj0D+8:ANA3R5drXPrfY+BS0i8
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ......

          File Icon

          Icon Hash:d49494d6c88ecec2

          Static PE Info

          General

          Entrypoint:0x41d759
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x5CC4B58F [Sat Apr 27 20:03:27 2019 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:00be6e6c4f9e287672c8301b72bdabf3

          Entrypoint Preview

          Instruction
          call 00007F09B877247Fh
          jmp 00007F09B8771EB3h
          cmp ecx, dword ptr [0043A1C8h]
          jne 00007F09B8772025h
          ret
          jmp 00007F09B87725F5h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 00430FE8h
          mov dword ptr [ecx], 00431994h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F09B87655CBh
          mov dword ptr [esi], 004319A0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 004319A8h
          mov dword ptr [ecx], 004319A0h
          ret
          push ebp
          mov ebp, esp
          sub esp, 0Ch
          lea ecx, dword ptr [ebp-0Ch]
          call 00007F09B8771FCCh
          push 00437B74h
          lea eax, dword ptr [ebp-0Ch]
          push eax
          call 00007F09B87748B6h
          int3
          push ebp
          mov ebp, esp
          sub esp, 0Ch
          lea ecx, dword ptr [ebp-0Ch]
          call 00007F09B8771FE2h
          push 00437DA4h
          lea eax, dword ptr [ebp-0Ch]
          push eax
          call 00007F09B8774899h
          int3
          jmp 00007F09B87768E5h
          jmp dword ptr [0043025Ch]
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push 004209A0h
          push dword ptr fs:[00000000h]
          mov eax, dword ptr [esp+10h]

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [EXP] VS2015 UPD3.1 build 24215
          • [LNK] VS2015 UPD3.1 build 24215
          • [IMP] VS2008 SP1 build 30729
          • [C++] VS2015 UPD3.1 build 24215
          • [RES] VS2015 UPD3 build 24213

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x38cc00x34.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x38cf40x3c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000xdfd0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x6b0000x1fcc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x36ee00x54.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x319280x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x300000x25c.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3824c0x120.rdata
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x2e8540x2ea00False0.590891002011data6.69230972772IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x300000x9a9c0x9c00False0.457131410256DOS executable (COM, 0x8C-variant)5.13286467456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x3a0000x213d00xc00False0.2802734375data3.25381103208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .gfids0x5c0000xe80x200False0.33984375data2.11154177446IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x5d0000xdfd00xe000False0.637067522321data6.63679065017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x6b0000x1fcc0x2000False0.794555664062data6.64554135223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          PNG0x5d6500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
          PNG0x5e1980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
          RT_ICON0x5f7480x568GLS_BINARY_LSB_FIRSTEnglishUnited States
          RT_ICON0x5fcb00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
          RT_ICON0x605580xea8dataEnglishUnited States
          RT_ICON0x614000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
          RT_ICON0x618680x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
          RT_ICON0x629100x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
          RT_ICON0x64eb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
          RT_DIALOG0x695880x286dataEnglishUnited States
          RT_DIALOG0x693580x13adataEnglishUnited States
          RT_DIALOG0x694980xecdataEnglishUnited States
          RT_DIALOG0x692280x12edataEnglishUnited States
          RT_DIALOG0x68ef00x338dataEnglishUnited States
          RT_DIALOG0x68c980x252dataEnglishUnited States
          RT_STRING0x69f680x1e2dataEnglishUnited States
          RT_STRING0x6a1500x1ccdataEnglishUnited States
          RT_STRING0x6a3200x1eedataEnglishUnited States
          RT_STRING0x6a5100x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
          RT_STRING0x6a6580x446dataEnglishUnited States
          RT_STRING0x6aaa00x166dataEnglishUnited States
          RT_STRING0x6ac080x120dataEnglishUnited States
          RT_STRING0x6ad280x10adataEnglishUnited States
          RT_STRING0x6ae380xbcdataEnglishUnited States
          RT_STRING0x6aef80xd6dataEnglishUnited States
          RT_GROUP_ICON0x68c300x68dataEnglishUnited States
          RT_MANIFEST0x698100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllGetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
          gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          04/07/21-13:13:12.481307UDP254DNS SPOOF query response with TTL of 1 min. and no authority536361937.235.1.174192.168.2.3

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 7, 2021 13:12:04.284943104 CEST497173231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:07.274842024 CEST497173231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:13.275221109 CEST497173231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:23.153405905 CEST497203231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:23.207156897 CEST323149720185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:23.713697910 CEST497203231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:23.767625093 CEST323149720185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:24.276237965 CEST497203231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:24.329905987 CEST323149720185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:28.340193033 CEST497303231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:28.396034956 CEST323149730185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:28.932753086 CEST497303231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:28.986098051 CEST323149730185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:29.635945082 CEST497303231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:29.689321041 CEST323149730185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:33.851739883 CEST497363231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:33.905407906 CEST323149736185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:34.433254957 CEST497363231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:34.486736059 CEST323149736185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:35.136393070 CEST497363231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:35.189851999 CEST323149736185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:40.075057983 CEST497383231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:40.131113052 CEST323149738185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:40.636879921 CEST497383231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:40.690064907 CEST323149738185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:41.324430943 CEST497383231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:41.377650976 CEST323149738185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:45.530728102 CEST497413231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:45.584055901 CEST323149741185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:46.124057055 CEST497413231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:46.178337097 CEST323149741185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:46.824892044 CEST497413231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:46.878628016 CEST323149741185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:50.904771090 CEST497433231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:50.958117008 CEST323149743185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:51.637808084 CEST497433231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:51.690824032 CEST323149743185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:52.297792912 CEST497433231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:52.351032019 CEST323149743185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:56.423825026 CEST497503231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:56.479959011 CEST323149750185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:57.138377905 CEST497503231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:57.192867041 CEST323149750185.244.26.250192.168.2.3
          Apr 7, 2021 13:12:57.700845957 CEST497503231192.168.2.3185.244.26.250
          Apr 7, 2021 13:12:57.754596949 CEST323149750185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:01.765269041 CEST497513231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:01.818501949 CEST323149751185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:02.327560902 CEST497513231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:02.380445004 CEST323149751185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:02.889513016 CEST497513231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:02.942847967 CEST323149751185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:07.101444960 CEST497523231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:07.154831886 CEST323149752185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:07.654999018 CEST497523231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:07.708323002 CEST323149752185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:08.217320919 CEST497523231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:08.270323992 CEST323149752185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:12.519479036 CEST497533231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:12.573050976 CEST323149753185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:13.077043056 CEST497533231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:13.130373955 CEST323149753185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:13.639755964 CEST497533231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:13.693152905 CEST323149753185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:17.929892063 CEST497543231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:17.983099937 CEST323149754185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:18.483767986 CEST497543231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:18.537029028 CEST323149754185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:19.046360970 CEST497543231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:19.099663019 CEST323149754185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:23.359709024 CEST497553231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:23.413091898 CEST323149755185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:23.921894073 CEST497553231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:23.974956989 CEST323149755185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:24.479491949 CEST497553231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:24.533152103 CEST323149755185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:28.694823027 CEST497573231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:28.748089075 CEST323149757185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:29.265958071 CEST497573231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:29.319535017 CEST323149757185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:29.828583956 CEST497573231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:29.882317066 CEST323149757185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:33.893865108 CEST497593231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:33.948729992 CEST323149759185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:34.454088926 CEST497593231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:34.507719040 CEST323149759185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:35.016555071 CEST497593231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:35.069547892 CEST323149759185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:39.187438965 CEST497603231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:39.243577957 CEST323149760185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:39.751199961 CEST497603231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:39.805200100 CEST323149760185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:40.313762903 CEST497603231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:40.370985031 CEST323149760185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:44.520028114 CEST497613231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:44.573076963 CEST323149761185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:45.079724073 CEST497613231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:45.133033037 CEST323149761185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:45.642371893 CEST497613231192.168.2.3185.244.26.250
          Apr 7, 2021 13:13:45.696996927 CEST323149761185.244.26.250192.168.2.3
          Apr 7, 2021 13:13:50.252599001 CEST497633231192.168.2.3185.244.26.250

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 7, 2021 13:12:33.791883945 CEST5436653192.168.2.337.235.1.174
          Apr 7, 2021 13:12:33.844490051 CEST535436637.235.1.174192.168.2.3
          Apr 7, 2021 13:12:39.319566011 CEST5776253192.168.2.337.235.1.174
          Apr 7, 2021 13:12:40.073358059 CEST535776237.235.1.174192.168.2.3
          Apr 7, 2021 13:12:45.461173058 CEST5613253192.168.2.337.235.1.174
          Apr 7, 2021 13:12:45.529616117 CEST535613237.235.1.174192.168.2.3
          Apr 7, 2021 13:13:06.998872042 CEST6129253192.168.2.337.235.1.174
          Apr 7, 2021 13:13:07.099144936 CEST536129237.235.1.174192.168.2.3
          Apr 7, 2021 13:13:12.341939926 CEST6361953192.168.2.337.235.1.174
          Apr 7, 2021 13:13:12.481307030 CEST536361937.235.1.174192.168.2.3
          Apr 7, 2021 13:13:17.773648977 CEST6493853192.168.2.337.235.1.174
          Apr 7, 2021 13:13:17.928342104 CEST536493837.235.1.174192.168.2.3
          Apr 7, 2021 13:13:39.110472918 CEST5212353192.168.2.337.235.1.174
          Apr 7, 2021 13:13:39.134844065 CEST535212337.235.1.174192.168.2.3
          Apr 7, 2021 13:13:44.493109941 CEST5613053192.168.2.337.235.1.174
          Apr 7, 2021 13:13:44.517874002 CEST535613037.235.1.174192.168.2.3
          Apr 7, 2021 13:13:49.753454924 CEST5633853192.168.2.337.235.1.174
          Apr 7, 2021 13:13:50.250629902 CEST535633837.235.1.174192.168.2.3

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Apr 7, 2021 13:12:33.791883945 CEST192.168.2.337.235.1.1740x393cStandard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:12:39.319566011 CEST192.168.2.337.235.1.1740x803Standard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:12:45.461173058 CEST192.168.2.337.235.1.1740x72b0Standard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:13:06.998872042 CEST192.168.2.337.235.1.1740xc0f8Standard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:13:12.341939926 CEST192.168.2.337.235.1.1740x4543Standard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:13:17.773648977 CEST192.168.2.337.235.1.1740xfcf1Standard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:13:39.110472918 CEST192.168.2.337.235.1.1740x46e1Standard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:13:44.493109941 CEST192.168.2.337.235.1.1740x2b7aStandard query (0)oleg321.ddns.netA (IP address)IN (0x0001)
          Apr 7, 2021 13:13:49.753454924 CEST192.168.2.337.235.1.1740x8beeStandard query (0)oleg321.ddns.netA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Apr 7, 2021 13:12:33.844490051 CEST37.235.1.174192.168.2.30x393cNo error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:12:40.073358059 CEST37.235.1.174192.168.2.30x803No error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:12:45.529616117 CEST37.235.1.174192.168.2.30x72b0No error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:13:07.099144936 CEST37.235.1.174192.168.2.30xc0f8No error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:13:12.481307030 CEST37.235.1.174192.168.2.30x4543No error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:13:17.928342104 CEST37.235.1.174192.168.2.30xfcf1No error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:13:39.134844065 CEST37.235.1.174192.168.2.30x46e1No error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:13:44.517874002 CEST37.235.1.174192.168.2.30x2b7aNo error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)
          Apr 7, 2021 13:13:50.250629902 CEST37.235.1.174192.168.2.30x8beeNo error (0)oleg321.ddns.net185.244.26.250A (IP address)IN (0x0001)

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: CU3e1CWzlr.exe PID: 6072 Parent PID: 5704

          General

          Start time:13:11:56
          Start date:07/04/2021
          Path:C:\Users\user\Desktop\CU3e1CWzlr.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\CU3e1CWzlr.exe'
          Imagebase:0xcc0000
          File size:620007 bytes
          MD5 hash:BC906F26EDFEC13CDB13D8A6B97F344B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          Analysis Process: cmd.exe PID: 6240 Parent PID: 6072

          General

          Start time:13:11:57
          Start date:07/04/2021
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\system32\cmd.exe /c ''C:\1.bat' '
          Imagebase:0xbd0000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 6256 Parent PID: 6240

          General

          Start time:13:11:58
          Start date:07/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6b2800000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: Quotation.sfx.exe PID: 6312 Parent PID: 6240

          General

          Start time:13:11:58
          Start date:07/04/2021
          Path:C:\Quotation.sfx.exe
          Wow64 process (32bit):true
          Commandline:Quotation.sfx.exe -p123 dc:\
          Imagebase:0x340000
          File size:458627 bytes
          MD5 hash:9C30B408BBF38395C4BB213682044B68
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 100%, Joe Sandbox ML
          • Detection: 32%, Metadefender, Browse
          • Detection: 76%, ReversingLabs
          Reputation:low

          Analysis Process: Quotation.exe PID: 6488 Parent PID: 6312

          General

          Start time:13:12:00
          Start date:07/04/2021
          Path:C:\Quotation.exe
          Wow64 process (32bit):true
          Commandline:'C:\Quotation.exe'
          Imagebase:0x160000
          File size:207872 bytes
          MD5 hash:C83BD9093E7AE550FC49FDC1A90B7F9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.471922157.00000000051B0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.464609033.0000000000162000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.472020860.0000000005440000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.470841608.00000000037B7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.205169235.0000000000162000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Quotation.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Quotation.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Quotation.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Quotation.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          • Detection: 86%, Metadefender, Browse
          • Detection: 100%, ReversingLabs
          Reputation:low

          Analysis Process: schtasks.exe PID: 6512 Parent PID: 6488

          General

          Start time:13:12:01
          Start date:07/04/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA16B.tmp'
          Imagebase:0x11b0000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 6520 Parent PID: 6512

          General

          Start time:13:12:01
          Start date:07/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6b2800000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: schtasks.exe PID: 6568 Parent PID: 6488

          General

          Start time:13:12:02
          Start date:07/04/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA45A.tmp'
          Imagebase:0x11b0000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 6576 Parent PID: 6568

          General

          Start time:13:12:02
          Start date:07/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6b2800000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: Quotation.exe PID: 6636 Parent PID: 528

          General

          Start time:13:12:03
          Start date:07/04/2021
          Path:C:\Quotation.exe
          Wow64 process (32bit):true
          Commandline:C:\Quotation.exe 0
          Imagebase:0x390000
          File size:207872 bytes
          MD5 hash:C83BD9093E7AE550FC49FDC1A90B7F9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.212196362.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.233036781.0000000002A11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.233182479.0000000003A11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.227002724.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Analysis Process: dhcpmon.exe PID: 6656 Parent PID: 528

          General

          Start time:13:12:04
          Start date:07/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Imagebase:0x860000
          File size:207872 bytes
          MD5 hash:C83BD9093E7AE550FC49FDC1A90B7F9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.227835211.0000000000862000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.212881601.0000000000862000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.233656875.0000000003F81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.233269566.0000000002F81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          • Detection: 86%, Metadefender, Browse
          • Detection: 100%, ReversingLabs
          Reputation:low

          Analysis Process: dhcpmon.exe PID: 6872 Parent PID: 3388

          General

          Start time:13:12:11
          Start date:07/04/2021
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Imagebase:0xaa0000
          File size:207872 bytes
          MD5 hash:C83BD9093E7AE550FC49FDC1A90B7F9E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.230390276.0000000000AA2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.246968442.0000000004201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.245771019.0000000000AA2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.246931446.0000000003201000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >