Loading ...

Play interactive tourEdit tour

Analysis Report zr0evNqvkC.exe

Overview

General Information

Sample Name:zr0evNqvkC.exe
Analysis ID:383423
MD5:ce3d2c6f07c0f14cf7ffcb8af7d7fa38
SHA1:ae0de88f43b79f629c38c6990e9ba563ab35d532
SHA256:76ccacc15808e1c228af17491e3cb90623807f3b5bc3828578cf9a83a7f8904b
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • zr0evNqvkC.exe (PID: 7000 cmdline: 'C:\Users\user\Desktop\zr0evNqvkC.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • zr0evNqvkC.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\zr0evNqvkC.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
      • schtasks.exe (PID: 5728 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6484 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE932.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • zr0evNqvkC.exe (PID: 5020 cmdline: C:\Users\user\Desktop\zr0evNqvkC.exe 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • zr0evNqvkC.exe (PID: 4228 cmdline: C:\Users\user\Desktop\zr0evNqvkC.exe 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
  • dhcpmon.exe (PID: 6368 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • dhcpmon.exe (PID: 6568 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
  • dhcpmon.exe (PID: 6744 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
    • dhcpmon.exe (PID: 6784 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CE3D2C6F07C0F14CF7FFCB8AF7D7FA38)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ccf3c62d-d356-4a80-bb94-307bc35a", "Group": "Backup", "Domain1": "backu4734.duckdns.org", "Domain2": "backu4734.duckdns.org", "Port": 8092, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x146bd:$x1: NanoCore.ClientPluginHost
  • 0x146fa:$x2: IClientNetworkHost
  • 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x14425:$a: NanoCore
    • 0x14435:$a: NanoCore
    • 0x14669:$a: NanoCore
    • 0x1467d:$a: NanoCore
    • 0x146bd:$a: NanoCore
    • 0x14484:$b: ClientPlugin
    • 0x14686:$b: ClientPlugin
    • 0x146c6:$b: ClientPlugin
    • 0x145ab:$c: ProjectData
    • 0x14fb2:$d: DESCrypto
    • 0x1c97e:$e: KeepAlive
    • 0x1a96c:$g: LogClientMessage
    • 0x16b67:$i: get_Connected
    • 0x152e8:$j: #=q
    • 0x15318:$j: #=q
    • 0x15334:$j: #=q
    • 0x15364:$j: #=q
    • 0x15380:$j: #=q
    • 0x1539c:$j: #=q
    • 0x153cc:$j: #=q
    • 0x153e8:$j: #=q
    0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x431bd:$a: NanoCore
      • 0x43216:$a: NanoCore
      • 0x43253:$a: NanoCore
      • 0x432cc:$a: NanoCore
      • 0x56977:$a: NanoCore
      • 0x5698c:$a: NanoCore
      • 0x569c1:$a: NanoCore
      • 0x6f96b:$a: NanoCore
      • 0x6f980:$a: NanoCore
      • 0x6f9b5:$a: NanoCore
      • 0x4321f:$b: ClientPlugin
      • 0x4325c:$b: ClientPlugin
      • 0x43b5a:$b: ClientPlugin
      • 0x43b67:$b: ClientPlugin
      • 0x56733:$b: ClientPlugin
      • 0x5674e:$b: ClientPlugin
      • 0x5677e:$b: ClientPlugin
      • 0x56995:$b: ClientPlugin
      • 0x569ca:$b: ClientPlugin
      • 0x6f727:$b: ClientPlugin
      • 0x6f742:$b: ClientPlugin
      Click to see the 101 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.dhcpmon.exe.3463214.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x287a1:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x287ce:$x2: IClientNetworkHost
      13.2.dhcpmon.exe.3463214.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x287a1:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x2987c:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x287bb:$s5: IClientLoggingHost
      13.2.dhcpmon.exe.3463214.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.dhcpmon.exe.24a1458.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        12.2.dhcpmon.exe.24a1458.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        Click to see the 260 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\zr0evNqvkC.exe, ProcessId: 7088, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\zr0evNqvkC.exe' , ParentImage: C:\Users\user\Desktop\zr0evNqvkC.exe, ParentProcessId: 7088, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp', ProcessId: 5728

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ccf3c62d-d356-4a80-bb94-307bc35a", "Group": "Backup", "Domain1": "backu4734.duckdns.org", "Domain2": "backu4734.duckdns.org", "Port": 8092, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 13%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 24%
        Source: C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dllMetadefender: Detection: 32%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dllReversingLabs: Detection: 79%
        Source: C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dllMetadefender: Detection: 32%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dllReversingLabs: Detection: 79%
        Source: C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dllMetadefender: Detection: 32%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dllReversingLabs: Detection: 79%
        Source: C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dllMetadefender: Detection: 32%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dllReversingLabs: Detection: 79%
        Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeReversingLabs: Detection: 24%
        Multi AV Scanner detection for submitted fileShow sources
        Source: zr0evNqvkC.exeMetadefender: Detection: 13%Perma Link
        Source: zr0evNqvkC.exeReversingLabs: Detection: 24%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.341783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.346783d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.379783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dllJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dllJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dllJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dllJoe Sandbox ML: detected
        Source: 13.2.dhcpmon.exe.4920000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.zr0evNqvkC.exe.3260000.4.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 11.1.zr0evNqvkC.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.dhcpmon.exe.3240000.4.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 3.1.zr0evNqvkC.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.zr0evNqvkC.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 8.2.zr0evNqvkC.exe.31b0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 14.2.dhcpmon.exe.31b0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 15.2.dhcpmon.exe.4e60000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeUnpacked PE file: 11.2.zr0evNqvkC.exe.2690000.4.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.4920000.9.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeUnpacked PE file: 11.2.zr0evNqvkC.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.0.unpack
        Source: zr0evNqvkC.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: Binary string: wntdll.pdbUGP source: zr0evNqvkC.exe, 00000001.00000003.650436120.0000000003710000.00000004.00000001.sdmp, zr0evNqvkC.exe, 00000008.00000003.666529250.0000000003710000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.667278626.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.693604886.0000000003710000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: zr0evNqvkC.exe, 00000001.00000003.650436120.0000000003710000.00000004.00000001.sdmp, zr0evNqvkC.exe, 00000008.00000003.666529250.0000000003710000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.667278626.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.693604886.0000000003710000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00405CD4 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_0040263E FindFirstFileA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_00405CD4 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_0040263E FindFirstFileA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00405CD4 FindFirstFileA,FindClose,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0040263E FindFirstFileA,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 40.71.91.165:8092
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 40.71.91.165:8092
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: backu4734.duckdns.org
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: backu4734.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.4:49737 -> 40.71.91.165:8092
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: unknownDNS traffic detected: queries for: backu4734.duckdns.org
        Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.695156443.0000000000409000.00000004.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.686705424.0000000000409000.00000008.00020000.sdmp, zr0evNqvkC.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: zr0evNqvkC.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
        Source: zr0evNqvkC.exe, 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.341783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.346783d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.379783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.687130487.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.695741140.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.710008654.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3463214.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3463214.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.3793214.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.341783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.346783d.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.277b908.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.3413214.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.244ba50.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.3793214.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.3413214.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.23fba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.zr0evNqvkC.exe.379783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_004046CA
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00405FA4
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_0040A2A5
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_004046CA
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_00405FA4
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_0040A2A5
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00BCE480
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00BCE471
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00BCBBD4
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_051CF5F8
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_051C9788
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_051CA610
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_05393E30
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_05394A50
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_05395330
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_05394B08
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0221E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0221E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0221BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0508F5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05089788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0508A5D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0508A610
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05253E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05254A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05254B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_004046CA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00405FA4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0485E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0485E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0485BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0508F5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05089788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0508A610
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05253E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05254A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05254B08
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: String function: 004029F6 appears 52 times
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: String function: 00401ED0 appears 69 times
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: String function: 0040569E appears 54 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 69 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 54 times
        Source: zr0evNqvkC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Adobe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: zr0evNqvkC.exe, 00000001.00000003.645685861.0000000003646000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs zr0evNqvkC.exe
        Source: zr0evNqvkC.exe, 00000003.00000003.678194233.00000000054E6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs zr0evNqvkC.exe
        Source: zr0evNqvkC.exe, 00000008.00000003.666315179.0000000003696000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs zr0evNqvkC.exe
        Source: zr0evNqvkC.exe, 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs zr0evNqvkC.exe
        Source: zr0evNqvkC.exe, 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs zr0evNqvkC.exe
        Source: zr0evNqvkC.exe, 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs zr0evNqvkC.exe
        Source: zr0evNqvkC.exe, 0000000B.00000002.687825228.0000000005360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs zr0evNqvkC.exe
        Source: zr0evNqvkC.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.687130487.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.695741140.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.710008654.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.3463214.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3463214.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.3463214.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3463214.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.3793214.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.3793214.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.341783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.341783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.346783d.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.346783d.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.277b908.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.277b908.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.3413214.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.3413214.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.244ba50.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.244ba50.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.3793214.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.3793214.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.3413214.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.3413214.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.23fba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.23fba50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.zr0evNqvkC.exe.379783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.zr0evNqvkC.exe.379783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/16@20/2
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_1000CB95 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00402020 CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile created: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:492:120:WilError_01
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ccf3c62d-d356-4a80-bb94-307bc35a5e01}
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile created: C:\Users\user\AppData\Local\Temp\nsrCF21.tmpJump to behavior
        Source: zr0evNqvkC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: zr0evNqvkC.exeMetadefender: Detection: 13%
        Source: zr0evNqvkC.exeReversingLabs: Detection: 24%
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile read: C:\Users\user\Desktop\zr0evNqvkC.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe 'C:\Users\user\Desktop\zr0evNqvkC.exe'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe 'C:\Users\user\Desktop\zr0evNqvkC.exe'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE932.tmp'
        Source: unknownProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe C:\Users\user\Desktop\zr0evNqvkC.exe 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe C:\Users\user\Desktop\zr0evNqvkC.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe 'C:\Users\user\Desktop\zr0evNqvkC.exe'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE932.tmp'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe C:\Users\user\Desktop\zr0evNqvkC.exe 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: Binary string: wntdll.pdbUGP source: zr0evNqvkC.exe, 00000001.00000003.650436120.0000000003710000.00000004.00000001.sdmp, zr0evNqvkC.exe, 00000008.00000003.666529250.0000000003710000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.667278626.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.693604886.0000000003710000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: zr0evNqvkC.exe, 00000001.00000003.650436120.0000000003710000.00000004.00000001.sdmp, zr0evNqvkC.exe, 00000008.00000003.666529250.0000000003710000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.667278626.00000000036A0000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.693604886.0000000003710000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeUnpacked PE file: 11.2.zr0evNqvkC.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeUnpacked PE file: 11.2.zr0evNqvkC.exe.2690000.4.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.4920000.9.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeUnpacked PE file: 11.2.zr0evNqvkC.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 13.2.dhcpmon.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.0.unpack
        .NET source code contains potential unpackerShow sources
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00405CFB GetModuleHandleA,LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_051C7648 push eax; iretd
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_05396E5D push FFFFFF8Bh; iretd
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05087648 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_05256E5D push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0485E471 push ebx; mov dword ptr [esp], eax
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0485E0D8 push edx; mov dword ptr [esp], eax
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05087648 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05256E5D push FFFFFF8Bh; iretd
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 13.2.dhcpmon.exe.4920000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 15.2.dhcpmon.exe.4e60000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile created: C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dllJump to dropped file
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile created: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeJump to dropped file
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile created: C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dllJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dllJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dllJump to dropped file
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Backup.exeJump to behavior
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Backup.exeJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeFile opened: C:\Users\user\Desktop\zr0evNqvkC.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWindow / User API: threadDelayed 2749
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWindow / User API: threadDelayed 6885
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWindow / User API: foregroundWindowGot 671
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWindow / User API: foregroundWindowGot 571
        Source: C:\Users\user\Desktop\zr0evNqvkC.exe TID: 2456Thread sleep time: -11068046444225724s >= -30000s
        Source: C:\Users\user\Desktop\zr0evNqvkC.exe TID: 6872Thread sleep count: 38 > 30
        Source: C:\Users\user\Desktop\zr0evNqvkC.exe TID: 6896Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6644Thread sleep count: 42 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6392Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7132Thread sleep count: 42 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7068Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00405CD4 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_0040263E FindFirstFileA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_00405CD4 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 8_2_0040263E FindFirstFileA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00405CD4 FindFirstFileA,FindClose,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0040263E FindFirstFileA,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_00405CFB GetModuleHandleA,LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_1000DC25 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_1000DED5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_1000DC25 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_1000DED5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_004067FE GetProcessHeap,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 11_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeSection loaded: unknown target: C:\Users\user\Desktop\zr0evNqvkC.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeSection loaded: unknown target: C:\Users\user\Desktop\zr0evNqvkC.exe protection: execute and read and write
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe 'C:\Users\user\Desktop\zr0evNqvkC.exe'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE932.tmp'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeProcess created: C:\Users\user\Desktop\zr0evNqvkC.exe C:\Users\user\Desktop\zr0evNqvkC.exe 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_0040208D cpuid
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 3_1_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeCode function: 1_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\zr0evNqvkC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.341783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.346783d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.379783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: zr0evNqvkC.exe, 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: zr0evNqvkC.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: zr0evNqvkC.exe, 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: zr0evNqvkC.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: zr0evNqvkC.exe, 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7088, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 7000, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6744, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6784, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 5020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: zr0evNqvkC.exe PID: 4228, type: MEMORY
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.4920000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.345e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3463214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.24d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.47d0000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.341783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.2690000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.346783d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.673ed8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.24a1458.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.340e3de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.33e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.7e41c8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.23a1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3793214.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.378e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.34f1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.zr0evNqvkC.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.3715530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3413214.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.zr0evNqvkC.exe.2390000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.7c4b80.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3395530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.zr0evNqvkC.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4e60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.zr0evNqvkC.exe.379783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.zr0evNqvkC.exe.34e0000.4.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection111Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsNative API1Registry Run Keys / Startup Folder1Scheduled Task/Job1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsScheduled Task/Job1Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery14SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383423 Sample: zr0evNqvkC.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 60 backu4734.duckdns.org 2->60 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 13 other signatures 2->72 9 zr0evNqvkC.exe 1 13 2->9         started        13 zr0evNqvkC.exe 12 2->13         started        15 dhcpmon.exe 12 2->15         started        17 dhcpmon.exe 12 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\Roaming\...\Adobe.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 9->52 dropped 76 Detected unpacking (changes PE section rights) 9->76 78 Detected unpacking (creates a PE file in dynamic memory) 9->78 80 Detected unpacking (overwrites its own PE header) 9->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 9->82 19 zr0evNqvkC.exe 1 15 9->19         started        54 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 13->54 dropped 84 Maps a DLL or memory area into another process 13->84 24 zr0evNqvkC.exe 3 13->24         started        56 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 15->56 dropped 26 dhcpmon.exe 3 15->26         started        58 C:\Users\user\AppData\Local\Temp\...\9izy.dll, PE32 17->58 dropped 28 dhcpmon.exe 2 17->28         started        signatures6 process7 dnsIp8 62 backu4734.duckdns.org 40.71.91.165, 49737, 49739, 49745 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->62 64 192.168.2.1 unknown unknown 19->64 38 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Roaming\...\run.dat, data 19->40 dropped 42 C:\Users\user\AppData\Local\...\tmpE5B6.tmp, XML 19->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->44 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->74 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        46 C:\Users\user\AppData\...\zr0evNqvkC.exe.log, ASCII 24->46 dropped 48 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 26->48 dropped file9 signatures10 process11 process12 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        zr0evNqvkC.exe19%MetadefenderBrowse
        zr0evNqvkC.exe24%ReversingLabsWin32.Trojan.AgentTesla

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dll100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dll100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dll100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dll100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe19%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe24%ReversingLabsWin32.Trojan.AgentTesla
        C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dll35%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dll79%ReversingLabsWin32.Trojan.Predator
        C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dll35%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dll79%ReversingLabsWin32.Trojan.Predator
        C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dll35%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dll79%ReversingLabsWin32.Trojan.Predator
        C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dll35%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dll79%ReversingLabsWin32.Trojan.Predator
        C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe19%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe24%ReversingLabsWin32.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        13.2.dhcpmon.exe.4920000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.zr0evNqvkC.exe.3260000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
        11.1.zr0evNqvkC.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.zr0evNqvkC.exe.2690000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.dhcpmon.exe.3240000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
        3.1.zr0evNqvkC.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.zr0evNqvkC.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        8.2.zr0evNqvkC.exe.31b0000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        14.2.dhcpmon.exe.31b0000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        15.2.dhcpmon.exe.4e60000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        backu4734.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        backu4734.duckdns.org
        40.71.91.165
        truetrue
          unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          backu4734.duckdns.orgtrue
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_Errordhcpmon.exe, dhcpmon.exe, 0000000E.00000002.695156443.0000000000409000.00000004.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.686705424.0000000000409000.00000008.00020000.sdmp, zr0evNqvkC.exefalse
            high
            http://nsis.sf.net/NSIS_ErrorErrorzr0evNqvkC.exefalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              40.71.91.165
              backu4734.duckdns.orgUnited States
              8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:383423
              Start date:07.04.2021
              Start time:18:51:08
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 12m 42s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:zr0evNqvkC.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:30
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@18/16@20/2
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 14.5% (good quality ratio 13.3%)
              • Quality average: 77%
              • Quality standard deviation: 31.3%
              HCA Information:
              • Successful, ratio: 91%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • TCP Packets have been reduced to 100
              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 13.88.21.125, 23.54.113.53, 168.61.161.212, 40.88.32.150, 52.147.198.201, 13.64.90.137, 104.43.139.144, 20.82.209.183, 23.10.249.43, 23.10.249.26, 52.155.217.156, 20.54.26.129, 20.82.210.154
              • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383423/sample/zr0evNqvkC.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              18:51:55API Interceptor1019x Sleep call for process: zr0evNqvkC.exe modified
              18:51:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Backup.exe C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrst
              18:52:02Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\zr0evNqvkC.exe" s>$(Arg0)
              18:52:04Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
              18:52:05API Interceptor2x Sleep call for process: dhcpmon.exe modified
              18:52:05AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              18:52:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Backup.exe C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrst

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              MICROSOFT-CORP-MSN-AS-BLOCKUSuGSmoUM8Ex.exeGet hashmaliciousBrowse
              • 52.169.150.217
              New Orders.exeGet hashmaliciousBrowse
              • 104.209.133.4
              6r3kQ7Ddkk.dllGet hashmaliciousBrowse
              • 204.79.197.200
              S9LQJCAiXi.exeGet hashmaliciousBrowse
              • 40.122.131.23
              sample.exeGet hashmaliciousBrowse
              • 40.91.125.204
              wzdu53.exeGet hashmaliciousBrowse
              • 52.239.137.4
              bank details.exeGet hashmaliciousBrowse
              • 20.43.32.222
              covid.exeGet hashmaliciousBrowse
              • 168.62.194.64
              1drive.exeGet hashmaliciousBrowse
              • 137.117.64.85
              onbgX3WswF.exeGet hashmaliciousBrowse
              • 52.142.208.184
              scan-100218.docmGet hashmaliciousBrowse
              • 51.145.124.145
              Honeywell Home_v5.3.0_apkpure.com_20201208.apkGet hashmaliciousBrowse
              • 52.232.209.85
              bcex.apk.1Get hashmaliciousBrowse
              • 52.175.56.158
              Transfer Form.exeGet hashmaliciousBrowse
              • 20.43.32.222
              PaymentInvoice.exeGet hashmaliciousBrowse
              • 52.142.208.184
              ACHWIREPAYMENTINFORMATION.xlsxGet hashmaliciousBrowse
              • 13.107.42.14
              products order pdf.exeGet hashmaliciousBrowse
              • 23.98.38.200
              5zc9vbGBo3.exeGet hashmaliciousBrowse
              • 104.47.53.36
              InnAcjnAmG.exeGet hashmaliciousBrowse
              • 104.47.53.36
              qwZnME1phK.exeGet hashmaliciousBrowse
              • 51.103.81.8

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):723339
              Entropy (8bit):5.79069826682285
              Encrypted:false
              SSDEEP:6144:IAPLSbA+7FZRyUakmmN681VueMiXbGQxS6MgCAZFu2KnU5rB6yxv82wNH7e6c:ZuF7yUakmmNWnuPOTgOnU50882Ge6c
              MD5:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              SHA1:AE0DE88F43B79F629C38C6990E9BA563AB35D532
              SHA-256:76CCACC15808E1C228AF17491E3CB90623807F3B5BC3828578CF9A83A7F8904B
              SHA-512:53BAC375C10EAD301E516E24B943A5DA18CE487148C95D7761479C1EE990353209C7846A9E090FCCDA116DEBD522FA7ED23D6B9831E9BBE0F8DF844224721DAD
              Malicious:true
              Antivirus:
              • Antivirus: Metadefender, Detection: 19%, Browse
              • Antivirus: ReversingLabs, Detection: 24%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............j[..j[..j[/.5[..j[..k[:.j[".7[..j[..Z[..j[f.l[..j[Rich..j[................PE..L....Z.I.................Z...x.......0.......p....@..........................................................................s..........7............................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc...7............t..............@..@........................................................................................................................................................................................................................................................................................................................................................
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
              MD5:69206D3AF7D6EFD08F4B4726998856D3
              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zr0evNqvkC.exe.log
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
              MD5:69206D3AF7D6EFD08F4B4726998856D3
              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Temp\nsmCF51.tmp\9izy.dll
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):336384
              Entropy (8bit):7.93865879007131
              Encrypted:false
              SSDEEP:6144:gjm4+58OoOCd0TKizvE4GM9xF9AltKyfyTcuBWTsRu1Zg2istxtkR:g/O+0TKivtGM9v9OKy6AKoZECxtkR
              MD5:C28DFFF3E22EFE40E1ED66C2E04202AB
              SHA1:61B909FDE36150867158A24ADEF89C4E7223EE20
              SHA-256:71CA449C5AC31DD841A2D0AD9303D73C7D99CB1A2B902F971487B0774CC7311D
              SHA-512:6217116B691C718A26D6E0C8D41E78794EFE6ED37A2BAB1DE76767A5DCFEDFD33A25237DD9E7704B8C6FB3A839D4A643A74236575B74E220DF6471C6435BF79D
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Metadefender, Detection: 35%, Browse
              • Antivirus: ReversingLabs, Detection: 79%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....vb`...........!.....t...X..........................................................................................N...\...........................................................................................4............................text...&r.......t.................. ..`.rdata..N............x..............@..@.data....K.......L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsmF603.tmp\9izy.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):336384
              Entropy (8bit):7.93865879007131
              Encrypted:false
              SSDEEP:6144:gjm4+58OoOCd0TKizvE4GM9xF9AltKyfyTcuBWTsRu1Zg2istxtkR:g/O+0TKivtGM9v9OKy6AKoZECxtkR
              MD5:C28DFFF3E22EFE40E1ED66C2E04202AB
              SHA1:61B909FDE36150867158A24ADEF89C4E7223EE20
              SHA-256:71CA449C5AC31DD841A2D0AD9303D73C7D99CB1A2B902F971487B0774CC7311D
              SHA-512:6217116B691C718A26D6E0C8D41E78794EFE6ED37A2BAB1DE76767A5DCFEDFD33A25237DD9E7704B8C6FB3A839D4A643A74236575B74E220DF6471C6435BF79D
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Metadefender, Detection: 35%, Browse
              • Antivirus: ReversingLabs, Detection: 79%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....vb`...........!.....t...X..........................................................................................N...\...........................................................................................4............................text...&r.......t.................. ..`.rdata..N............x..............@..@.data....K.......L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsw1A35.tmp\9izy.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):336384
              Entropy (8bit):7.93865879007131
              Encrypted:false
              SSDEEP:6144:gjm4+58OoOCd0TKizvE4GM9xF9AltKyfyTcuBWTsRu1Zg2istxtkR:g/O+0TKivtGM9v9OKy6AKoZECxtkR
              MD5:C28DFFF3E22EFE40E1ED66C2E04202AB
              SHA1:61B909FDE36150867158A24ADEF89C4E7223EE20
              SHA-256:71CA449C5AC31DD841A2D0AD9303D73C7D99CB1A2B902F971487B0774CC7311D
              SHA-512:6217116B691C718A26D6E0C8D41E78794EFE6ED37A2BAB1DE76767A5DCFEDFD33A25237DD9E7704B8C6FB3A839D4A643A74236575B74E220DF6471C6435BF79D
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Metadefender, Detection: 35%, Browse
              • Antivirus: ReversingLabs, Detection: 79%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....vb`...........!.....t...X..........................................................................................N...\...........................................................................................4............................text...&r.......t.................. ..`.rdata..N............x..............@..@.data....K.......L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsyEC01.tmp\9izy.dll
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):336384
              Entropy (8bit):7.93865879007131
              Encrypted:false
              SSDEEP:6144:gjm4+58OoOCd0TKizvE4GM9xF9AltKyfyTcuBWTsRu1Zg2istxtkR:g/O+0TKivtGM9v9OKy6AKoZECxtkR
              MD5:C28DFFF3E22EFE40E1ED66C2E04202AB
              SHA1:61B909FDE36150867158A24ADEF89C4E7223EE20
              SHA-256:71CA449C5AC31DD841A2D0AD9303D73C7D99CB1A2B902F971487B0774CC7311D
              SHA-512:6217116B691C718A26D6E0C8D41E78794EFE6ED37A2BAB1DE76767A5DCFEDFD33A25237DD9E7704B8C6FB3A839D4A643A74236575B74E220DF6471C6435BF79D
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Metadefender, Detection: 35%, Browse
              • Antivirus: ReversingLabs, Detection: 79%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....vb`...........!.....t...X..........................................................................................N...\...........................................................................................4............................text...&r.......t.................. ..`.rdata..N............x..............@..@.data....K.......L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1300
              Entropy (8bit):5.111834471266593
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YYnaxtn:cbk4oL600QydbQxIYODOLedq3Enaj
              MD5:4B12010B374C23EC194AAC2E6851C55D
              SHA1:64A908E58369487E54FAB9DA227E989A66BF06EC
              SHA-256:F0B28EE944D379456665C618F88523F4D4F0C84FCB0A36764F0C3894FE21DA68
              SHA-512:C619583FD1D50137ED051C0BE9C0A5FA47E0044C2BCC2FDA4192FE6AB71DB0A4298D3305EF5BD7015F81F90FCC54DBA87694A3D84054CEEE4386E09B03899036
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\tmpE932.tmp
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:data
              Category:dropped
              Size (bytes):2088
              Entropy (8bit):7.089541637477408
              Encrypted:false
              SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhDjhL
              MD5:84864902DEC5038CEF326FF21E8D5F98
              SHA1:2F10FEC81D95813C3B2530EC4CECED70164A08C5
              SHA-256:5B4853A46F99AC6445B68DC1A841D511D0E86C6EDEC2A0A84F3778039A578B6B
              SHA-512:A77BCDB522CE208C8D785F44D9FE90C6D1314CB199A4BE72E220F4B8C5446265EEEF1C51EFFD2D7BDCCDC8F4A76F803A41A4973364757950D0777E8BAEF0B14C
              Malicious:false
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:data
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:XAMt:XAMt
              MD5:94ACA90BADDB679194ED476EF94BBCFE
              SHA1:040CEEB0A21135E90B5A6FBE067128CE75426BCD
              SHA-256:B2FFBAA0180A605159B55D3089B3C7B26494CE555DBC3F61891333CFF09E4DF9
              SHA-512:BBE69353B4B89B44E275E06BD659EAD13F31286B8FD56FC231D215847D1F15C86A14870AA1F6F7FF9429EDCB3335BB694C09AAA499D0FB297925FA19B434CE36
              Malicious:true
              Preview: ...w...H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:data
              Category:modified
              Size (bytes):40
              Entropy (8bit):5.153055907333276
              Encrypted:false
              SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
              MD5:4E5E92E2369688041CC82EF9650EDED2
              SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
              SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
              SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
              Malicious:false
              Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:data
              Category:dropped
              Size (bytes):327768
              Entropy (8bit):7.999367066417797
              Encrypted:true
              SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
              MD5:2E52F446105FBF828E63CF808B721F9C
              SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
              SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
              SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
              Malicious:false
              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):37
              Entropy (8bit):4.087567554701195
              Encrypted:false
              SSDEEP:3:oNt+WfWf42AdA:oNwvQ2AC
              MD5:FEDC89A97E407A2382E8DD6750414AB6
              SHA1:7E838AC68B62BD0648E611D2F602732BE2D9046B
              SHA-256:18C32D27C912FB6BFAD47FBAEF6F6C5BEE66CA442926F62856FE26AC6BD969FF
              SHA-512:9B1011ECAA53A13E009C512B1FD49969FB5F176653117558AE17E1FE7F7CB63D759DF9448A3C2F68C8E13C5FD7AA8653FE51F5B4A818B4421502954B71037769
              Malicious:false
              Preview: C:\Users\user\Desktop\zr0evNqvkC.exe
              C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe
              Process:C:\Users\user\Desktop\zr0evNqvkC.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):723339
              Entropy (8bit):5.79069826682285
              Encrypted:false
              SSDEEP:6144:IAPLSbA+7FZRyUakmmN681VueMiXbGQxS6MgCAZFu2KnU5rB6yxv82wNH7e6c:ZuF7yUakmmNWnuPOTgOnU50882Ge6c
              MD5:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              SHA1:AE0DE88F43B79F629C38C6990E9BA563AB35D532
              SHA-256:76CCACC15808E1C228AF17491E3CB90623807F3B5BC3828578CF9A83A7F8904B
              SHA-512:53BAC375C10EAD301E516E24B943A5DA18CE487148C95D7761479C1EE990353209C7846A9E090FCCDA116DEBD522FA7ED23D6B9831E9BBE0F8DF844224721DAD
              Malicious:true
              Antivirus:
              • Antivirus: Metadefender, Detection: 19%, Browse
              • Antivirus: ReversingLabs, Detection: 24%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............j[..j[..j[/.5[..j[..k[:.j[".7[..j[..Z[..j[f.l[..j[Rich..j[................PE..L....Z.I.................Z...x.......0.......p....@..........................................................................s..........7............................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc...7............t..............@..@........................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):5.79069826682285
              TrID:
              • Win32 Executable (generic) a (10002005/4) 92.16%
              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:zr0evNqvkC.exe
              File size:723339
              MD5:ce3d2c6f07c0f14cf7ffcb8af7d7fa38
              SHA1:ae0de88f43b79f629c38c6990e9ba563ab35d532
              SHA256:76ccacc15808e1c228af17491e3cb90623807f3b5bc3828578cf9a83a7f8904b
              SHA512:53bac375c10ead301e516e24b943a5da18ce487148c95d7761479c1ee990353209c7846a9e090fccda116debd522fa7ed23d6b9831e9bbe0f8df844224721dad
              SSDEEP:6144:IAPLSbA+7FZRyUakmmN681VueMiXbGQxS6MgCAZFu2KnU5rB6yxv82wNH7e6c:ZuF7yUakmmNWnuPOTgOnU50882Ge6c
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............j[..j[..j[/.5[..j[..k[:.j[".7[..j[..Z[..j[f.l[..j[Rich..j[................PE..L....Z.I.................Z...x.......0.....

              File Icon

              Icon Hash:d8c8d0d0f0ccd4d0

              Static PE Info

              General

              Entrypoint:0x4030cb
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x49A05A15 [Sat Feb 21 19:46:29 2009 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:7fa974366048f9c551ef45714595665e

              Entrypoint Preview

              Instruction
              sub esp, 00000180h
              push ebx
              push ebp
              push esi
              xor ebx, ebx
              push edi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409160h
              xor esi, esi
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [00407030h]
              push 00008001h
              call dword ptr [004070B0h]
              push ebx
              call dword ptr [0040727Ch]
              push 00000008h
              mov dword ptr [00423F38h], eax
              call 00007FE25879A022h
              mov dword ptr [00423E84h], eax
              push ebx
              lea eax, dword ptr [esp+34h]
              push 00000160h
              push eax
              push ebx
              push 0041F430h
              call dword ptr [00407158h]
              push 00409154h
              push 00423680h
              call 00007FE258799CD9h
              call dword ptr [004070ACh]
              mov edi, 00429000h
              push eax
              push edi
              call 00007FE258799CC7h
              push ebx
              call dword ptr [0040710Ch]
              cmp byte ptr [00429000h], 00000022h
              mov dword ptr [00423E80h], eax
              mov eax, edi
              jne 00007FE25879743Ch
              mov byte ptr [esp+14h], 00000022h
              mov eax, 00429001h
              push dword ptr [esp+14h]
              push eax
              call 00007FE2587997BAh
              push eax
              call dword ptr [0040721Ch]
              mov dword ptr [esp+1Ch], eax
              jmp 00007FE258797495h
              cmp cl, 00000020h
              jne 00007FE258797438h
              inc eax
              cmp byte ptr [eax], 00000020h
              je 00007FE25879742Ch
              cmp byte ptr [eax], 00000022h
              mov byte ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x5b537.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x58ce0x5a00False0.665060763889data6.4327194239IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x11900x1200False0.444010416667data5.17644153669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1af780x400False0.5498046875data4.62049264052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2c0000x5b5370x5b600False0.0300102599179data2.17428906497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_BITMAP0x2c3a00x368dataEnglishUnited States
              RT_ICON0x2c7080x42028dBase III DBT, version number 0, next free block index 40
              RT_ICON0x6e7300x468GLS_BINARY_LSB_FIRST
              RT_ICON0x6eb980x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
              RT_ICON0x711400x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
              RT_ICON0x721e80x10828dBase III DBT, version number 0, next free block index 40
              RT_ICON0x82a100x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
              RT_DIALOG0x86c380xb8dataEnglishUnited States
              RT_DIALOG0x86cf00x144dataEnglishUnited States
              RT_DIALOG0x86e340x13cdataEnglishUnited States
              RT_DIALOG0x86f700x100dataEnglishUnited States
              RT_DIALOG0x870700x11cdataEnglishUnited States
              RT_DIALOG0x8718c0x60dataEnglishUnited States
              RT_GROUP_ICON0x871ec0x5adata
              RT_VERSION0x872480x104dataEnglishUnited States
              RT_MANIFEST0x8734c0x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

              Version Infos

              DescriptionData
              ProductNameLat
              Translation0x0409 0x0000

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              04/07/21-18:52:04.882913TCP2025019ET TROJAN Possible NanoCore C2 60B497378092192.168.2.440.71.91.165
              04/07/21-18:52:10.376667TCP2025019ET TROJAN Possible NanoCore C2 60B497398092192.168.2.440.71.91.165
              04/07/21-18:52:18.556980TCP2025019ET TROJAN Possible NanoCore C2 60B497458092192.168.2.440.71.91.165
              04/07/21-18:52:24.822667TCP2025019ET TROJAN Possible NanoCore C2 60B497518092192.168.2.440.71.91.165
              04/07/21-18:52:31.139644TCP2025019ET TROJAN Possible NanoCore C2 60B497538092192.168.2.440.71.91.165
              04/07/21-18:52:39.037794TCP2025019ET TROJAN Possible NanoCore C2 60B497548092192.168.2.440.71.91.165
              04/07/21-18:52:39.045553ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
              04/07/21-18:52:45.273685TCP2025019ET TROJAN Possible NanoCore C2 60B497638092192.168.2.440.71.91.165
              04/07/21-18:52:50.569954TCP2025019ET TROJAN Possible NanoCore C2 60B497678092192.168.2.440.71.91.165
              04/07/21-18:52:55.572664TCP2025019ET TROJAN Possible NanoCore C2 60B497688092192.168.2.440.71.91.165
              04/07/21-18:53:02.534994TCP2025019ET TROJAN Possible NanoCore C2 60B497778092192.168.2.440.71.91.165
              04/07/21-18:53:09.666206TCP2025019ET TROJAN Possible NanoCore C2 60B497788092192.168.2.440.71.91.165
              04/07/21-18:53:15.738288TCP2025019ET TROJAN Possible NanoCore C2 60B497798092192.168.2.440.71.91.165
              04/07/21-18:53:21.223296TCP2025019ET TROJAN Possible NanoCore C2 60B497808092192.168.2.440.71.91.165
              04/07/21-18:53:28.858840TCP2025019ET TROJAN Possible NanoCore C2 60B497818092192.168.2.440.71.91.165
              04/07/21-18:53:35.087683TCP2025019ET TROJAN Possible NanoCore C2 60B497848092192.168.2.440.71.91.165
              04/07/21-18:53:42.028900TCP2025019ET TROJAN Possible NanoCore C2 60B497858092192.168.2.440.71.91.165
              04/07/21-18:53:48.802827TCP2025019ET TROJAN Possible NanoCore C2 60B497868092192.168.2.440.71.91.165
              04/07/21-18:53:54.800276TCP2025019ET TROJAN Possible NanoCore C2 60B497878092192.168.2.440.71.91.165

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 7, 2021 18:52:04.717466116 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:04.821573973 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:04.823622942 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:04.882913113 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.000972033 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.009907961 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.112118959 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.112245083 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.213965893 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.237027884 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.398328066 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.401087999 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.401143074 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.401252985 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.401475906 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.401520967 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.401576996 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.503333092 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503387928 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503423929 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503467083 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503483057 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.503510952 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503524065 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.503546953 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503582954 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503617048 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.503643990 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.503679037 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606000900 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606033087 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606051922 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606070995 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606086969 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606102943 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606101990 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606120110 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606132030 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606136084 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606156111 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606163025 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606173992 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606194019 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606197119 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606214046 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606221914 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606230974 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606247902 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606264114 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606264114 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606281042 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.606285095 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.606312990 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709171057 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709208965 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709230900 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709254026 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709275007 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709296942 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709319115 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709325075 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709342957 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709353924 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709367990 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709395885 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709407091 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709428072 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709445953 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709450006 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709479094 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709491968 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709501982 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709522963 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709544897 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709556103 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709569931 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709589005 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709594011 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709616899 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709634066 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709638119 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709661961 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709676027 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709681034 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709702969 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709724903 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709734917 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709749937 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709765911 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709774971 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709796906 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709817886 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709840059 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709861040 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709882021 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709882975 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709903955 CEST80924973740.71.91.165192.168.2.4
              Apr 7, 2021 18:52:05.709904909 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.709939003 CEST497378092192.168.2.440.71.91.165
              Apr 7, 2021 18:52:05.814007998 CEST80924973740.71.91.165192.168.2.4

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 7, 2021 18:51:49.668410063 CEST5802853192.168.2.48.8.8.8
              Apr 7, 2021 18:51:49.681291103 CEST53580288.8.8.8192.168.2.4
              Apr 7, 2021 18:51:49.955868006 CEST5309753192.168.2.48.8.8.8
              Apr 7, 2021 18:51:49.974833012 CEST53530978.8.8.8192.168.2.4
              Apr 7, 2021 18:51:50.649139881 CEST4925753192.168.2.48.8.8.8
              Apr 7, 2021 18:51:50.662425995 CEST53492578.8.8.8192.168.2.4
              Apr 7, 2021 18:51:51.451816082 CEST6238953192.168.2.48.8.8.8
              Apr 7, 2021 18:51:51.464715958 CEST53623898.8.8.8192.168.2.4
              Apr 7, 2021 18:51:52.212124109 CEST4991053192.168.2.48.8.8.8
              Apr 7, 2021 18:51:52.225452900 CEST53499108.8.8.8192.168.2.4
              Apr 7, 2021 18:51:53.202661037 CEST5585453192.168.2.48.8.8.8
              Apr 7, 2021 18:51:53.214582920 CEST53558548.8.8.8192.168.2.4
              Apr 7, 2021 18:51:54.346667051 CEST6454953192.168.2.48.8.8.8
              Apr 7, 2021 18:51:54.361955881 CEST53645498.8.8.8192.168.2.4
              Apr 7, 2021 18:51:57.225601912 CEST6315353192.168.2.48.8.8.8
              Apr 7, 2021 18:51:57.238090038 CEST53631538.8.8.8192.168.2.4
              Apr 7, 2021 18:51:58.049593925 CEST5299153192.168.2.48.8.8.8
              Apr 7, 2021 18:51:58.069442987 CEST53529918.8.8.8192.168.2.4
              Apr 7, 2021 18:51:59.151048899 CEST5370053192.168.2.48.8.8.8
              Apr 7, 2021 18:51:59.165915012 CEST53537008.8.8.8192.168.2.4
              Apr 7, 2021 18:52:04.526913881 CEST5172653192.168.2.48.8.8.8
              Apr 7, 2021 18:52:04.708865881 CEST53517268.8.8.8192.168.2.4
              Apr 7, 2021 18:52:09.228241920 CEST5679453192.168.2.48.8.8.8
              Apr 7, 2021 18:52:09.242341995 CEST53567948.8.8.8192.168.2.4
              Apr 7, 2021 18:52:10.066013098 CEST5653453192.168.2.48.8.8.8
              Apr 7, 2021 18:52:10.269023895 CEST53565348.8.8.8192.168.2.4
              Apr 7, 2021 18:52:10.364712954 CEST5662753192.168.2.48.8.8.8
              Apr 7, 2021 18:52:10.378629923 CEST53566278.8.8.8192.168.2.4
              Apr 7, 2021 18:52:11.382951021 CEST5662153192.168.2.48.8.8.8
              Apr 7, 2021 18:52:11.400620937 CEST53566218.8.8.8192.168.2.4
              Apr 7, 2021 18:52:15.265892029 CEST6311653192.168.2.48.8.8.8
              Apr 7, 2021 18:52:15.279691935 CEST53631168.8.8.8192.168.2.4
              Apr 7, 2021 18:52:16.958823919 CEST6407853192.168.2.48.8.8.8
              Apr 7, 2021 18:52:16.971725941 CEST53640788.8.8.8192.168.2.4
              Apr 7, 2021 18:52:17.559622049 CEST6480153192.168.2.48.8.8.8
              Apr 7, 2021 18:52:17.742032051 CEST53648018.8.8.8192.168.2.4
              Apr 7, 2021 18:52:18.432502985 CEST6172153192.168.2.48.8.8.8
              Apr 7, 2021 18:52:18.446320057 CEST53617218.8.8.8192.168.2.4
              Apr 7, 2021 18:52:19.510761976 CEST5125553192.168.2.48.8.8.8
              Apr 7, 2021 18:52:19.523236036 CEST53512558.8.8.8192.168.2.4
              Apr 7, 2021 18:52:20.567899942 CEST6152253192.168.2.48.8.8.8
              Apr 7, 2021 18:52:21.574311018 CEST6152253192.168.2.48.8.8.8
              Apr 7, 2021 18:52:21.587899923 CEST53615228.8.8.8192.168.2.4
              Apr 7, 2021 18:52:23.492752075 CEST5233753192.168.2.48.8.8.8
              Apr 7, 2021 18:52:23.507734060 CEST53523378.8.8.8192.168.2.4
              Apr 7, 2021 18:52:24.172226906 CEST5504653192.168.2.48.8.8.8
              Apr 7, 2021 18:52:24.185035944 CEST53550468.8.8.8192.168.2.4
              Apr 7, 2021 18:52:24.699043036 CEST4961253192.168.2.48.8.8.8
              Apr 7, 2021 18:52:24.713674068 CEST53496128.8.8.8192.168.2.4
              Apr 7, 2021 18:52:27.041562080 CEST4928553192.168.2.48.8.8.8
              Apr 7, 2021 18:52:27.060167074 CEST53492858.8.8.8192.168.2.4
              Apr 7, 2021 18:52:30.881194115 CEST5060153192.168.2.48.8.8.8
              Apr 7, 2021 18:52:30.895111084 CEST53506018.8.8.8192.168.2.4
              Apr 7, 2021 18:52:37.864695072 CEST6087553192.168.2.48.8.8.8
              Apr 7, 2021 18:52:38.912863970 CEST6087553192.168.2.48.8.8.8
              Apr 7, 2021 18:52:38.927278996 CEST53608758.8.8.8192.168.2.4
              Apr 7, 2021 18:52:39.045465946 CEST53608758.8.8.8192.168.2.4
              Apr 7, 2021 18:52:40.994267941 CEST5644853192.168.2.48.8.8.8
              Apr 7, 2021 18:52:41.085634947 CEST53564488.8.8.8192.168.2.4
              Apr 7, 2021 18:52:41.516406059 CEST5917253192.168.2.48.8.8.8
              Apr 7, 2021 18:52:41.618478060 CEST53591728.8.8.8192.168.2.4
              Apr 7, 2021 18:52:42.113049030 CEST6242053192.168.2.48.8.8.8
              Apr 7, 2021 18:52:42.248286963 CEST6057953192.168.2.48.8.8.8
              Apr 7, 2021 18:52:42.274636984 CEST53605798.8.8.8192.168.2.4
              Apr 7, 2021 18:52:42.364857912 CEST53624208.8.8.8192.168.2.4
              Apr 7, 2021 18:52:42.789534092 CEST5018353192.168.2.48.8.8.8
              Apr 7, 2021 18:52:42.802956104 CEST53501838.8.8.8192.168.2.4
              Apr 7, 2021 18:52:43.266644955 CEST6153153192.168.2.48.8.8.8
              Apr 7, 2021 18:52:43.283422947 CEST53615318.8.8.8192.168.2.4
              Apr 7, 2021 18:52:43.814109087 CEST4922853192.168.2.48.8.8.8
              Apr 7, 2021 18:52:43.828403950 CEST53492288.8.8.8192.168.2.4
              Apr 7, 2021 18:52:44.537889004 CEST5979453192.168.2.48.8.8.8
              Apr 7, 2021 18:52:44.550858021 CEST53597948.8.8.8192.168.2.4
              Apr 7, 2021 18:52:45.152621984 CEST5591653192.168.2.48.8.8.8
              Apr 7, 2021 18:52:45.167325020 CEST53559168.8.8.8192.168.2.4
              Apr 7, 2021 18:52:45.255939960 CEST5275253192.168.2.48.8.8.8
              Apr 7, 2021 18:52:45.269296885 CEST53527528.8.8.8192.168.2.4
              Apr 7, 2021 18:52:46.724050045 CEST6054253192.168.2.48.8.8.8
              Apr 7, 2021 18:52:46.792399883 CEST53605428.8.8.8192.168.2.4
              Apr 7, 2021 18:52:47.571589947 CEST6068953192.168.2.48.8.8.8
              Apr 7, 2021 18:52:47.586393118 CEST53606898.8.8.8192.168.2.4
              Apr 7, 2021 18:52:50.452678919 CEST6420653192.168.2.48.8.8.8
              Apr 7, 2021 18:52:50.465898037 CEST53642068.8.8.8192.168.2.4
              Apr 7, 2021 18:52:55.389674902 CEST5090453192.168.2.48.8.8.8
              Apr 7, 2021 18:52:55.403268099 CEST53509048.8.8.8192.168.2.4
              Apr 7, 2021 18:52:56.903987885 CEST5752553192.168.2.48.8.8.8
              Apr 7, 2021 18:52:56.918289900 CEST53575258.8.8.8192.168.2.4
              Apr 7, 2021 18:52:57.286070108 CEST5381453192.168.2.48.8.8.8
              Apr 7, 2021 18:52:57.299010038 CEST53538148.8.8.8192.168.2.4
              Apr 7, 2021 18:52:59.531410933 CEST5341853192.168.2.48.8.8.8
              Apr 7, 2021 18:52:59.550730944 CEST53534188.8.8.8192.168.2.4
              Apr 7, 2021 18:53:02.394126892 CEST6283353192.168.2.48.8.8.8
              Apr 7, 2021 18:53:02.407021999 CEST53628338.8.8.8192.168.2.4
              Apr 7, 2021 18:53:09.545264959 CEST5926053192.168.2.48.8.8.8
              Apr 7, 2021 18:53:09.558789968 CEST53592608.8.8.8192.168.2.4
              Apr 7, 2021 18:53:15.616029024 CEST4994453192.168.2.48.8.8.8
              Apr 7, 2021 18:53:15.630995035 CEST53499448.8.8.8192.168.2.4
              Apr 7, 2021 18:53:20.693864107 CEST6330053192.168.2.48.8.8.8
              Apr 7, 2021 18:53:20.880876064 CEST53633008.8.8.8192.168.2.4
              Apr 7, 2021 18:53:28.656956911 CEST6144953192.168.2.48.8.8.8
              Apr 7, 2021 18:53:28.671060085 CEST53614498.8.8.8192.168.2.4
              Apr 7, 2021 18:53:32.126914024 CEST5127553192.168.2.48.8.8.8
              Apr 7, 2021 18:53:32.140156984 CEST53512758.8.8.8192.168.2.4
              Apr 7, 2021 18:53:34.345143080 CEST6349253192.168.2.48.8.8.8
              Apr 7, 2021 18:53:34.357973099 CEST53634928.8.8.8192.168.2.4
              Apr 7, 2021 18:53:34.700691938 CEST5894553192.168.2.48.8.8.8
              Apr 7, 2021 18:53:34.883023977 CEST53589458.8.8.8192.168.2.4
              Apr 7, 2021 18:53:41.663753033 CEST6077953192.168.2.48.8.8.8
              Apr 7, 2021 18:53:41.923051119 CEST53607798.8.8.8192.168.2.4
              Apr 7, 2021 18:53:48.681149006 CEST6401453192.168.2.48.8.8.8
              Apr 7, 2021 18:53:48.694021940 CEST53640148.8.8.8192.168.2.4
              Apr 7, 2021 18:53:54.665651083 CEST5709153192.168.2.48.8.8.8
              Apr 7, 2021 18:53:54.678160906 CEST53570918.8.8.8192.168.2.4
              Apr 7, 2021 18:54:01.627024889 CEST5590453192.168.2.48.8.8.8
              Apr 7, 2021 18:54:01.808187008 CEST53559048.8.8.8192.168.2.4

              ICMP Packets

              TimestampSource IPDest IPChecksumCodeType
              Apr 7, 2021 18:52:39.045552969 CEST192.168.2.48.8.8.8d009(Port unreachable)Destination Unreachable

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Apr 7, 2021 18:52:04.526913881 CEST192.168.2.48.8.8.80x84c8Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:10.066013098 CEST192.168.2.48.8.8.80x7ee2Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:17.559622049 CEST192.168.2.48.8.8.80x185aStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:24.699043036 CEST192.168.2.48.8.8.80x6e19Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:30.881194115 CEST192.168.2.48.8.8.80x37fbStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:37.864695072 CEST192.168.2.48.8.8.80x8abaStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:38.912863970 CEST192.168.2.48.8.8.80x8abaStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:45.152621984 CEST192.168.2.48.8.8.80x63c6Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:50.452678919 CEST192.168.2.48.8.8.80x2b8bStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:52:55.389674902 CEST192.168.2.48.8.8.80x46c5Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:02.394126892 CEST192.168.2.48.8.8.80x12cfStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:09.545264959 CEST192.168.2.48.8.8.80x49bdStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:15.616029024 CEST192.168.2.48.8.8.80x43c3Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:20.693864107 CEST192.168.2.48.8.8.80xecc8Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:28.656956911 CEST192.168.2.48.8.8.80xc9eeStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:34.700691938 CEST192.168.2.48.8.8.80x87dcStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:41.663753033 CEST192.168.2.48.8.8.80xe88dStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:48.681149006 CEST192.168.2.48.8.8.80xb6c5Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:53:54.665651083 CEST192.168.2.48.8.8.80x900bStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 7, 2021 18:54:01.627024889 CEST192.168.2.48.8.8.80x49feStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Apr 7, 2021 18:52:04.708865881 CEST8.8.8.8192.168.2.40x84c8No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:10.269023895 CEST8.8.8.8192.168.2.40x7ee2No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:17.742032051 CEST8.8.8.8192.168.2.40x185aNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:24.713674068 CEST8.8.8.8192.168.2.40x6e19No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:30.895111084 CEST8.8.8.8192.168.2.40x37fbNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:38.927278996 CEST8.8.8.8192.168.2.40x8abaNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:39.045465946 CEST8.8.8.8192.168.2.40x8abaNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:45.167325020 CEST8.8.8.8192.168.2.40x63c6No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:50.465898037 CEST8.8.8.8192.168.2.40x2b8bNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:52:55.403268099 CEST8.8.8.8192.168.2.40x46c5No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:02.407021999 CEST8.8.8.8192.168.2.40x12cfNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:09.558789968 CEST8.8.8.8192.168.2.40x49bdNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:15.630995035 CEST8.8.8.8192.168.2.40x43c3No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:20.880876064 CEST8.8.8.8192.168.2.40xecc8No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:28.671060085 CEST8.8.8.8192.168.2.40xc9eeNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:34.883023977 CEST8.8.8.8192.168.2.40x87dcNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:41.923051119 CEST8.8.8.8192.168.2.40xe88dNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:48.694021940 CEST8.8.8.8192.168.2.40xb6c5No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:53:54.678160906 CEST8.8.8.8192.168.2.40x900bNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 7, 2021 18:54:01.808187008 CEST8.8.8.8192.168.2.40x49feNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:18:51:55
              Start date:07/04/2021
              Path:C:\Users\user\Desktop\zr0evNqvkC.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\zr0evNqvkC.exe'
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.654475724.0000000002390000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:18:51:56
              Start date:07/04/2021
              Path:C:\Users\user\Desktop\zr0evNqvkC.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\zr0evNqvkC.exe'
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000001.651190577.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:18:52:01
              Start date:07/04/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE5B6.tmp'
              Imagebase:0xd00000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:18:52:01
              Start date:07/04/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff724c50000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:18:52:02
              Start date:07/04/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE932.tmp'
              Imagebase:0xd00000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:18:52:02
              Start date:07/04/2021
              Path:C:\Users\user\Desktop\zr0evNqvkC.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\zr0evNqvkC.exe 0
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.672011153.00000000034E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:18:52:02
              Start date:07/04/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff724c50000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:18:52:03
              Start date:07/04/2021
              Path:C:\Users\user\Desktop\zr0evNqvkC.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\zr0evNqvkC.exe 0
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.687210214.000000000374C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.686783298.00000000024D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.687130487.0000000002760000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.685777873.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.687173726.0000000003711000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.667478998.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.686993962.0000000002692000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.686267445.00000000007AA000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:18:52:05
              Start date:07/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.681302642.0000000002490000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 19%, Metadefender, Browse
              • Detection: 24%, ReversingLabs
              Reputation:low

              General

              Start time:18:52:06
              Start date:07/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.695786654.00000000033E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.695567999.00000000021D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.695829534.000000000341C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.695741140.0000000002430000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.695251206.000000000065C000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.694875196.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.696770647.0000000004922000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:18:52:14
              Start date:07/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.699663982.00000000034E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:18:52:15
              Start date:07/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:723339 bytes
              MD5 hash:CE3D2C6F07C0F14CF7FFCB8AF7D7FA38
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.710751870.00000000047D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.710086127.00000000033CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.711101394.0000000004E62000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.710048527.0000000003391000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.709598376.00000000007C9000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.708824233.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.710008654.00000000023E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >