Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report bGf2H3tXGg.exe

Overview

General Information

Sample Name:bGf2H3tXGg.exe
Analysis ID:384149
MD5:f72a7fd231e50f9b43c3dab470364846
SHA1:1ac9f0876ec8f4b95fb0bbae48c2a5b5d02ed411
SHA256:fb01157b437b00f34999faa320bb55c8e44bdbb415e9a15503035bfe0e1d40d6
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • bGf2H3tXGg.exe (PID: 4656 cmdline: 'C:\Users\user\Desktop\bGf2H3tXGg.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
    • bGf2H3tXGg.exe (PID: 204 cmdline: 'C:\Users\user\Desktop\bGf2H3tXGg.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
      • schtasks.exe (PID: 6280 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6320 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bGf2H3tXGg.exe (PID: 6468 cmdline: C:\Users\user\Desktop\bGf2H3tXGg.exe 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
    • bGf2H3tXGg.exe (PID: 6704 cmdline: C:\Users\user\Desktop\bGf2H3tXGg.exe 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
  • dhcpmon.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
    • dhcpmon.exe (PID: 6816 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: F72A7FD231E50F9B43C3DAB470364846)
  • dhcpmon.exe (PID: 6752 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
    • dhcpmon.exe (PID: 6212 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: F72A7FD231E50F9B43C3DAB470364846)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ccf3c62d-d356-4a80-bb94-307bc35a", "Group": "Backup", "Domain1": "backu4734.duckdns.org", "Domain2": "backu4734.duckdns.org", "Port": 8092, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x146bd:$x1: NanoCore.ClientPluginHost
    • 0x146fa:$x2: IClientNetworkHost
    • 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 125 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      22.2.dhcpmon.exe.24bcc88.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      22.2.dhcpmon.exe.24bcc88.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      11.2.bGf2H3tXGg.exe.29c1458.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      11.2.bGf2H3tXGg.exe.29c1458.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      11.2.bGf2H3tXGg.exe.29c1458.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 355 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\bGf2H3tXGg.exe, ProcessId: 204, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\bGf2H3tXGg.exe' , ParentImage: C:\Users\user\Desktop\bGf2H3tXGg.exe, ParentProcessId: 204, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp', ProcessId: 6280

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllAvira: detection malicious, Label: HEUR/AGEN.1120893
        Found malware configurationShow sources
        Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ccf3c62d-d356-4a80-bb94-307bc35a", "Group": "Backup", "Domain1": "backu4734.duckdns.org", "Domain2": "backu4734.duckdns.org", "Port": 8092, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 50%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllReversingLabs: Detection: 41%
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllReversingLabs: Detection: 41%
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllReversingLabs: Detection: 41%
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllReversingLabs: Detection: 41%
        Multi AV Scanner detection for submitted fileShow sources
        Source: bGf2H3tXGg.exeVirustotal: Detection: 50%Perma Link
        Source: bGf2H3tXGg.exeReversingLabs: Detection: 68%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: bGf2H3tXGg.exeJoe Sandbox ML: detected
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.dhcpmon.exe.2430000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.2.dhcpmon.exe.4a60000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.2430000.4.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 3.2.bGf2H3tXGg.exe.400000.1.unpack
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 14.2.bGf2H3tXGg.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 17.2.dhcpmon.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.400000.1.unpack
        Source: bGf2H3tXGg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: bGf2H3tXGg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wntdll.pdbUGP source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00404A29 FindFirstFileExW,

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: backu4734.duckdns.org
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: backu4734.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:49708 -> 40.71.91.165:8092
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: unknownDNS traffic detected: queries for: backu4734.duckdns.org
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: bGf2H3tXGg.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: bGf2H3tXGg.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
        Source: bGf2H3tXGg.exe, 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339271124.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.323888903.00000000025B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.24bcc88.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.254b998.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.24fba7c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.258cc88.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.23fca20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.25cba7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.bGf2H3tXGg.exe.250cc3c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.341adf4.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.34111ef.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_00406945
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040711C
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0225E471
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0225E480
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0225BBD4
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_007FE470
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_007FE480
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_007FBBD4
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051BF5F8
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051B9788
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051BA5A2
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051BA5E4
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05273E30
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05274A50
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05274B08
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0254E470
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0254E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0254BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051BF5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051B9788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051BA5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051BA610
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05393E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05394A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05395330
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05394B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_009EE480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_009EE47C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_009EBBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FBF5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FB9788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FBA5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05253E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05254A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05254B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_0040A2A5
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: String function: 00401ED0 appears 92 times
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: String function: 004056B5 appears 32 times
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: String function: 0040569E appears 72 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 92 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 72 times
        Source: bGf2H3tXGg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: bGf2H3tXGg.exe, 00000000.00000003.246102412.0000000002CAF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000B.00000003.288368251.0000000002B16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.321173219.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs bGf2H3tXGg.exe
        Source: bGf2H3tXGg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339271124.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.323888903.00000000025B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.24bcc88.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.24bcc88.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.254b998.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.254b998.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.24fba7c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.24fba7c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.24787c8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.373c0d6.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.258cc88.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.258cc88.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.23fca20.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.23fca20.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.340c550.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.25cba7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.25cba7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2457edc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.374a506.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.37332a7.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.bGf2H3tXGg.exe.250cc3c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.250cc3c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.341adf4.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.341adf4.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.34111ef.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.34111ef.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.bGf2H3tXGg.exe.2464158.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/24@16/1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_01
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ccf3c62d-d356-4a80-bb94-307bc35a5e01}
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Local\Temp\nsr9A59.tmpJump to behavior
        Source: bGf2H3tXGg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: bGf2H3tXGg.exeVirustotal: Detection: 50%
        Source: bGf2H3tXGg.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile read: C:\Users\user\Desktop\bGf2H3tXGg.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: bGf2H3tXGg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wntdll.pdbUGP source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: bGf2H3tXGg.exe, 00000000.00000003.242145777.0000000002A00000.00000004.00000001.sdmp, bGf2H3tXGg.exe, 0000000B.00000003.300129419.0000000002A50000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.294879939.0000000002900000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000003.316493535.0000000002A50000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 3.2.bGf2H3tXGg.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 14.2.bGf2H3tXGg.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 17.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.2430000.4.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 3.2.bGf2H3tXGg.exe.400000.1.unpack
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeUnpacked PE file: 14.2.bGf2H3tXGg.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 17.2.dhcpmon.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 22.2.dhcpmon.exe.400000.1.unpack
        .NET source code contains potential unpackerShow sources
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_051B7648 push eax; iretd
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_05276E55 push FFFFFF8Bh; iretd
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_051B7648 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05396E55 push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_04FB7648 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_05256E55 push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401F16 push ecx; ret
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 17.2.dhcpmon.exe.4a60000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 22.2.dhcpmon.exe.2430000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dllJump to dropped file
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dllJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dllJump to dropped file
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile created: C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dllJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeFile opened: C:\Users\user\Desktop\bGf2H3tXGg.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWindow / User API: threadDelayed 8951
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWindow / User API: foregroundWindowGot 649
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWindow / User API: foregroundWindowGot 744
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 1384Thread sleep time: -38000s >= -30000s
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 6536Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 6508Thread sleep time: -120000s >= -30000s
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 6472Thread sleep time: -38000s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6604Thread sleep time: -38000s >= -30000s
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 5088Thread sleep count: 42 > 30
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exe TID: 7164Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6756Thread sleep time: -38000s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6200Thread sleep count: 44 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1064Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5960Thread sleep count: 39 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6256Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 38000
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 38000
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 38000
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 38000
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_10001140 Cgrlcpdlsle,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,FindCloseChangeNotification,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_02282B1F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_0228286F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 11_2_02992B1F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 11_2_0299286F mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02442B1F mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0244286F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_02852B1F mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0285286F mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_004067FE GetProcessHeap,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 14_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Contains functionality to prevent local Windows debuggingShow sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_10001140 Cgrlcpdlsle,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,FindCloseChangeNotification,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 11_2_10001140 Cgrlcpdlsle,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,FindCloseChangeNotification,
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: unknown target: C:\Users\user\Desktop\bGf2H3tXGg.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeSection loaded: unknown target: C:\Users\user\Desktop\bGf2H3tXGg.exe protection: execute and read and write
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe 'C:\Users\user\Desktop\bGf2H3tXGg.exe'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeProcess created: C:\Users\user\Desktop\bGf2H3tXGg.exe C:\Users\user\Desktop\bGf2H3tXGg.exe 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: bGf2H3tXGg.exe, 00000003.00000002.491387515.0000000002695000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: bGf2H3tXGg.exe, 00000003.00000002.488115189.0000000000DC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: bGf2H3tXGg.exe, 00000003.00000002.490038547.0000000002548000.00000004.00000001.sdmpBinary or memory string: Program Manager`
        Source: bGf2H3tXGg.exe, 00000003.00000002.492942931.00000000029A7000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_0040208D cpuid
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 3_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\bGf2H3tXGg.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: bGf2H3tXGg.exe, 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exe, 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: bGf2H3tXGg.exe, 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: bGf2H3tXGg.exe, 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: bGf2H3tXGg.exe, 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: bGf2H3tXGg.exe, 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 4656, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 6704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: bGf2H3tXGg.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6212, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6752, type: MEMORY
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.4e70000.16.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4960000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35de3de.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.2430000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.3565530.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.350e3de.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.351783d.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.4a80000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.34e5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.28c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2870000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.3563214.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.21d0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.356783d.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.355e3de.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3495530.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.35e3214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.673878.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.3470831.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.525980.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.346c208.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.3513214.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.4a60000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29b0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.bGf2H3tXGg.exe.872728.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.bGf2H3tXGg.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.2881458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.bGf2H3tXGg.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.5c6ad8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.dhcpmon.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.bGf2H3tXGg.exe.29c1458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.bGf2H3tXGg.exe.415058.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection212Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery14SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 384149 Sample: bGf2H3tXGg.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 14 other signatures 2->65 8 bGf2H3tXGg.exe 18 2->8         started        12 dhcpmon.exe 16 2->12         started        14 bGf2H3tXGg.exe 16 2->14         started        16 dhcpmon.exe 16 2->16         started        process3 file4 49 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 8->49 dropped 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 8->73 75 Contains functionality to prevent local Windows debugging 8->75 18 bGf2H3tXGg.exe 1 16 8->18         started        51 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 12->51 dropped 77 Maps a DLL or memory area into another process 12->77 23 dhcpmon.exe 3 12->23         started        53 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 14->53 dropped 25 bGf2H3tXGg.exe 3 14->25         started        55 C:\Users\user\AppData\Local\...\xktfu.dll, PE32 16->55 dropped 27 dhcpmon.exe 2 16->27         started        signatures5 process6 dnsIp7 57 backu4734.duckdns.org 40.71.91.165, 49708, 49710, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->57 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmpDE28.tmp, XML 18->41 dropped 43 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->43 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        45 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 23->45 dropped 47 C:\Users\user\AppData\...\bGf2H3tXGg.exe.log, ASCII 25->47 dropped file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        bGf2H3tXGg.exe51%VirustotalBrowse
        bGf2H3tXGg.exe16%MetadefenderBrowse
        bGf2H3tXGg.exe69%ReversingLabsWin32.Trojan.Zenpak
        bGf2H3tXGg.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll100%AviraHEUR/AGEN.1120893
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe51%VirustotalBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe16%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe69%ReversingLabsWin32.Trojan.Zenpak
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll19%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll14%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll41%ReversingLabsWin32.Trojan.InjectorX

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.2.bGf2H3tXGg.exe.4e70000.16.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.2.dhcpmon.exe.2430000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        22.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        15.2.dhcpmon.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        14.1.bGf2H3tXGg.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.2.bGf2H3tXGg.exe.4a80000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        22.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.bGf2H3tXGg.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        11.2.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        11.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        17.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        22.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        0.2.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.2.dhcpmon.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        14.2.bGf2H3tXGg.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        15.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        0.2.bGf2H3tXGg.exe.10000000.5.unpack100%AviraHEUR/AGEN.1120893Download File
        14.0.bGf2H3tXGg.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        3.2.bGf2H3tXGg.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.2.dhcpmon.exe.4a60000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.1.bGf2H3tXGg.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        backu4734.duckdns.org1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        backu4734.duckdns.org1%VirustotalBrowse
        backu4734.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        backu4734.duckdns.org
        		40.71.91.165
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        backu4734.duckdns.orgtrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nsis.sf.net/NSIS_ErrorbGf2H3tXGg.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErrorbGf2H3tXGg.exefalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            40.71.91.165
            		backu4734.duckdns.orgUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:384149
            Start date:08.04.2021
            Start time:17:20:12
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 12m 38s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:bGf2H3tXGg.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@18/24@16/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 13.5% (good quality ratio 12.3%)
            • Quality average: 75.8%
            • Quality standard deviation: 32.1%
            HCA Information:
            • Successful, ratio: 95%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 168.61.161.212, 104.42.151.234, 23.54.113.53, 104.43.193.48, 13.64.90.137, 95.100.54.203, 20.82.209.183, 23.10.249.43, 23.10.249.26, 20.82.210.154, 20.54.26.129
            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:21:09API Interceptor838x Sleep call for process: bGf2H3tXGg.exe modified
            17:21:17Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\bGf2H3tXGg.exe" s>$(Arg0)
            17:21:20Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
            17:21:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            17:21:30API Interceptor2x Sleep call for process: dhcpmon.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            40.71.91.165zr0evNqvkC.exeGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              backu4734.duckdns.orgzr0evNqvkC.exeGet hashmaliciousBrowse
              • 40.71.91.165

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              MICROSOFT-CORP-MSN-AS-BLOCKUSsecuredmessage.htmGet hashmaliciousBrowse
              • 52.239.152.74
              Fattura di errore.exeGet hashmaliciousBrowse
              • 104.209.133.4
              PaymentAdvice.exeGet hashmaliciousBrowse
              • 52.142.208.184
              Signed pages of agreement copy.htmlGet hashmaliciousBrowse
              • 52.97.232.194
              zr0evNqvkC.exeGet hashmaliciousBrowse
              • 40.71.91.165
              uGSmoUM8Ex.exeGet hashmaliciousBrowse
              • 52.169.150.217
              New Orders.exeGet hashmaliciousBrowse
              • 104.209.133.4
              6r3kQ7Ddkk.dllGet hashmaliciousBrowse
              • 204.79.197.200
              S9LQJCAiXi.exeGet hashmaliciousBrowse
              • 40.122.131.23
              sample.exeGet hashmaliciousBrowse
              • 40.91.125.204
              wzdu53.exeGet hashmaliciousBrowse
              • 52.239.137.4
              bank details.exeGet hashmaliciousBrowse
              • 20.43.32.222
              covid.exeGet hashmaliciousBrowse
              • 168.62.194.64
              1drive.exeGet hashmaliciousBrowse
              • 137.117.64.85
              onbgX3WswF.exeGet hashmaliciousBrowse
              • 52.142.208.184
              scan-100218.docmGet hashmaliciousBrowse
              • 51.145.124.145
              Honeywell Home_v5.3.0_apkpure.com_20201208.apkGet hashmaliciousBrowse
              • 52.232.209.85
              bcex.apk.1Get hashmaliciousBrowse
              • 52.175.56.158
              Transfer Form.exeGet hashmaliciousBrowse
              • 20.43.32.222
              PaymentInvoice.exeGet hashmaliciousBrowse
              • 52.142.208.184

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):702907
              Entropy (8bit):5.903583773476114
              Encrypted:false
              SSDEEP:6144:69X0GFb/PdSrw+uHwUa5EIZUNf5F6p363E+r+voPIQLAoxQHHmAOZPBwf9:M0o1+Bvgs36pcoPIWPxUH1F
              MD5:F72A7FD231E50F9B43C3DAB470364846
              SHA1:1AC9F0876EC8F4B95FB0BBAE48C2A5B5D02ED411
              SHA-256:FB01157B437B00F34999FAA320BB55C8E44BDBB415E9A15503035BFE0E1D40D6
              SHA-512:C12BC1D2B74C2F209EADD40C02A56EE4B1A21287AB5B3391118F1FA12971C39DCBE2B8174B43A4D19281680247398140B223E0F00F03896B71AA8AA2352C084E
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Virustotal, Detection: 51%, Browse
              • Antivirus: Metadefender, Detection: 16%, Browse
              • Antivirus: ReversingLabs, Detection: 69%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f..........H3............@..........................0............@.................................D.......................................................................................................................text...Wd.......f.................. ..`.rdata...............j..............@..@.data...8U...........~..............@....ndata...................................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bGf2H3tXGg.exe.log
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
              MD5:69206D3AF7D6EFD08F4B4726998856D3
              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
              MD5:69206D3AF7D6EFD08F4B4726998856D3
              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Temp\nejus0or2e4wbg8rhay
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:data
              Category:dropped
              Size (bytes):283136
              Entropy (8bit):7.999260184879652
              Encrypted:true
              SSDEEP:6144:3w+uHwUa5EIZUNf5F6p363E+r+voPIQLAoxQHHmAOZPBwfY:g+Bvgs36pcoPIWPxUH1g
              MD5:285906EFB24E6C8780A7F2E30BDBE72A
              SHA1:5CBAE1392002A6956635E15DB5147F85620F30E8
              SHA-256:AF23271A22B4657CF3765BB7A1A40E130CB9145D4549D004CF9BAF1C4CB854CA
              SHA-512:BFC53D9B2047DB89CB5828C49C12CA68BB999F9633EE8FD11BB9E110634812F18137280E6DE79AFD1C3B83731E4F21F6300F92BFDD9917ED6576F3111144A8CE
              Malicious:false
              Preview: .\.5...x).....b?...k.1P&........f.p...3..d.;.vR7.P...c....1...u.aH...hSE}...^&.@wL..DI.........I.`VS..v..J..*o.A...@..\..S#..aU ....%......!I...Ym.V....#..r6..o..YbA.bN..../.....sj.T..EX..G...F...kG.}7#6x....<.}......L..K.D..H.#a...~:_.'............9M..\...).<..6.;.(..v.......d.P.4....H..c.m.s4-=..N.........l...,.j'....Y.*.Ex..F.5c?..c>....qhq...#..>.nm.{.xp....$M.}.V.?[uY.(.&.TW..#..=....M.....k......ln..W.j.cbX......6F.D.>...x..K.:_.f3kD..l...^...q9.vW.@.3.OG..`.9...fPc..!..'c0.r.}.?...O...%.*.EY%H.+.y.]..D.f.:....M.I...X=.1.U....K}.I...aY.N...c...M.....G.........8..dw.m...L..O.@^..a>.....?...[9.T":..dO0..1.$......?8..rs..n&U. h.[e...N. *h....T..MW$....!.&2...@.Y.bL..Gv.L...|.2....4{wEZ.iB....n.....P.6z.c...R.z...>.O#rr..p....H...O..NkjZ*w...'{..L....]]Q...s5...o....}.6.f.....)>R`.l.5A....{.A..z....'.b..A..];d.2.w..P...-.....X.>W#...0.o.#S2%..U..m..K.............h%...H.5A...Ul....:1....3......A...iN...JI.C..=....Z..q.3.C..r..C..Y....}
              C:\Users\user\AppData\Local\Temp\nsfEFEC.tmp\xktfu.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsh9AB8.tmp\xktfu.dll
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsmE619.tmp\xktfu.dll
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsp1382.tmp\xktfu.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5120
              Entropy (8bit):4.042717862409682
              Encrypted:false
              SSDEEP:48:a2f1CPWItdEEB+dlbcTeJjhaYLTxGCv402KcUlWG6QmtN1BbRuqS:InB+7cTkTxGCA02K74tp1x
              MD5:55ED3B347F615FAE9FB0D62EFA642861
              SHA1:2978295CFE6CB8ED8C7D7BCEBF0CB13DCD6C9256
              SHA-256:9C94096638FBAD8F4F41E33012437C149ECD4AB055E56FDDACBD35CBCB2ADCB6
              SHA-512:4AC65E360218AE12205C79C32C057B78065EFDD81C679B706694CE22A5F3838473897617E8C973DD738F312494B01082A4A292176CB6E00E5B29A110B0F2B3A5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Virustotal, Detection: 19%, Browse
              • Antivirus: Metadefender, Detection: 14%, Browse
              • Antivirus: ReversingLabs, Detection: 41%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...>.f`...........!......................... ...............................P.............A.........................!..L....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\tmpDE28.tmp
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1301
              Entropy (8bit):5.109950989988902
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0POLxtn:cbk4oL600QydbQxIYODOLedq3SOj
              MD5:7F3B873F0BEBEC1CA523C1EA10D53D80
              SHA1:3EB161B07F5EF732D6C39DD6BC13E1C3AD3036E4
              SHA-256:E0932A6253B8851243AFF143973201F1F4D88A908DA580AFC1AB83A0EC043CDE
              SHA-512:8C8EB7B8FED0A52CBB0CFA4471C1A7780D50C8D249CD14F0FD590662046D6A6705968C66EDA96A4C0E58D0746E4B6BD9E485C4CDC06D630C7FEA2ECFB86AD107
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\xavbedcnsrtbhix
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:data
              Category:dropped
              Size (bytes):11781
              Entropy (8bit):7.984459379386964
              Encrypted:false
              SSDEEP:192:pBenVpIMVi3Lb5zyZXE/yld/gQOEBaX0wZkWVAMrtFW0VzoiSrWP6WQpHWcJcNdD:yVCR52ZXs8dQ1RZkEAmtd1olYWHWcwIE
              MD5:BCB945B4C41466420E84B5CED1F7C5F4
              SHA1:5041C43DEBCC2B9E65D11D658F0FE8C8A45E074F
              SHA-256:B4BC8BCAFC597734DFF776D588DCF7F82C6BA6A1BA96F04A0B384B3F30AA4E24
              SHA-512:645EB26BA2E711C68A1982CB4D93A9432B610B64A92CAFA134ED7219272677F44B1BA7BC27F75FE94CBBB6EF5AA1EB8B33257391FB04FC1BDF04EA4997FFB621
              Malicious:false
              Preview: tD*@J..p............>a..e.6q..{.r.w.z..E.LS.,_N.........._..$....x.!#..l..P3-/."x&..X...4"T.......^....gqs...j",.C=?hf.v.8.OY[D..R../...P...`7......r|.......>H.....3.Z.o.......w........O$. ..g...0:<M.'..m...-iM..=......S........K.e..#e..{3..{i.I../II.O..yO....K....k.E...y.W..".?....S...<.$........<.....d...+%'.6p....7..,^L:..d...8HX...|_ik...b.$.{uw`h.n&0.GQS|.J....HP.V.........jt......~v@...5..HZ!...KP)*..3....9......'.". ....4.0..6.. .68.u./BMkr.ef......U...b3xEF`..vx35ENPZu.Xl....F....c.....I..I........wI....KX.5..../j..(7..9....../J..}...)+..L1N/.....-/.n6(...^]7.......egq....OuLK]..{u2..n..oa:.......G....^m.....szdj.t.#L....LN......:.....1............7......,.a2......8.s8..u..C..q...`jl.[l.....oe^p'.>&..bE.F.j..V./...$.........r...y..{=....}....I[...........y.^AD.O.....K..........A/;5. -,9,.7..:.6......p..eugq>m.t{uw&.R3e.=AC..9S[U.SOO......~....J...}t<.y.G......Iv...RP.....j[...,.....D.......P....W..(....a..a.......aB<d.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:dropped
              Size (bytes):1856
              Entropy (8bit):7.089541637477408
              Encrypted:false
              SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
              MD5:30D23CC577A89146961915B57F408623
              SHA1:9B5709D6081D8E0A570511E6E0AAE96FA041964F
              SHA-256:E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
              SHA-512:2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
              Malicious:false
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ISO-8859 text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:wFGet:wrt
              MD5:DF854956BB207377B050755321BC7605
              SHA1:1E82091BE0AD796EAF136C55B5AD83D650AE72CA
              SHA-256:0E92D96AF7FB340B34C5C7EEE2AEF7059B5B0181952CE900B27F8A8B8E0FEA2B
              SHA-512:BAB25B65AC0C3F2496924D04DBD89E32029C248350440BBB3C9EF6268AA7E389BFDD9F6982350B6CBD38B107B42D291801671B52129B47F075FC76EF1F128C2D
              Malicious:true
              Preview: .>.c...H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:dropped
              Size (bytes):24
              Entropy (8bit):4.501629167387823
              Encrypted:false
              SSDEEP:3:9bzY6oRDIvYk:RzWDI3
              MD5:ACD3FB4310417DC77FE06F15B0E353E6
              SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
              SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
              SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
              Malicious:false
              Preview: 9iH...}Z.4..f..J".C;"a
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:modified
              Size (bytes):64
              Entropy (8bit):5.320159765557392
              Encrypted:false
              SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
              MD5:BB0F9B9992809E733EFFF8B0E562CFD6
              SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
              SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
              SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
              Malicious:false
              Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:data
              Category:dropped
              Size (bytes):327768
              Entropy (8bit):7.999367066417797
              Encrypted:true
              SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
              MD5:2E52F446105FBF828E63CF808B721F9C
              SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
              SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
              SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
              Malicious:false
              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\Desktop\bGf2H3tXGg.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):38
              Entropy (8bit):4.405822250285691
              Encrypted:false
              SSDEEP:3:oNUWJRWHSkV0Cn:oNNJApL
              MD5:0FB77C8DB46E53AD33B0288C4C8A4A14
              SHA1:3FE522409B1B18F07306B6F1691DD73D4B2A6212
              SHA-256:22C5A9F7013302D91E32B386E8B545BDDBB8F749FDC6CB403ACBB583FD3AD8C0
              SHA-512:98A7A9F58366F7C8BB237D0E73AF412105AF017240272B37D28F845C7C1BE26D7751769D0A83A2E485080C902903ABD48A7930D29A96964BB9820AA6754FED4D
              Malicious:false
              Preview: C:\Users\user\Desktop\bGf2H3tXGg.exe

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):5.903583773476114
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:bGf2H3tXGg.exe
              File size:702907
              MD5:f72a7fd231e50f9b43c3dab470364846
              SHA1:1ac9f0876ec8f4b95fb0bbae48c2a5b5d02ed411
              SHA256:fb01157b437b00f34999faa320bb55c8e44bdbb415e9a15503035bfe0e1d40d6
              SHA512:c12bc1d2b74c2f209eadd40c02a56ee4b1a21287ab5b3391118f1fa12971c39dcbe2b8174b43a4d19281680247398140b223e0f00f03896b71aa8aa2352c084e
              SSDEEP:6144:69X0GFb/PdSrw+uHwUa5EIZUNf5F6p363E+r+voPIQLAoxQHHmAOZPBwf9:M0o1+Bvgs36pcoPIWPxUH1F
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f..........H3............@

              File Icon

              Icon Hash:e0d8d8d4d4d8d0e8

              Static PE Info

              General

              Entrypoint:0x403348
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:ced282d9b261d1462772017fe2f6972b

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 0040A198h
              mov dword ptr [esp+20h], ebx
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [004080B8h]
              call dword ptr [004080BCh]
              and eax, BFFFFFFFh
              cmp ax, 00000006h
              mov dword ptr [0042F42Ch], eax
              je 00007F28E8708C83h
              push ebx
              call 00007F28E870BDE6h
              cmp eax, ebx
              je 00007F28E8708C79h
              push 00000C00h
              call eax
              mov esi, 004082A0h
              push esi
              call 00007F28E870BD62h
              push esi
              call dword ptr [004080CCh]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007F28E8708C5Dh
              push 0000000Bh
              call 00007F28E870BDBAh
              push 00000009h
              call 00007F28E870BDB3h
              push 00000007h
              mov dword ptr [0042F424h], eax
              call 00007F28E870BDA7h
              cmp eax, ebx
              je 00007F28E8708C81h
              push 0000001Eh
              call eax
              test eax, eax
              je 00007F28E8708C79h
              or byte ptr [0042F42Fh], 00000040h
              push ebp
              call dword ptr [00408038h]
              push ebx
              call dword ptr [00408288h]
              mov dword ptr [0042F4F8h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 00429850h
              call dword ptr [0040816Ch]
              push 0040A188h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x5adc8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x64570x6600False0.66823682598data6.43498570321IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x80000x13800x1400False0.4625data5.26100389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa0000x255380x600False0.463541666667data4.133728555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x380000x5adc80x5ae00False0.0467997764787data2.65052430635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x382800x42028data
              RT_ICON0x7a2a80x468GLS_BINARY_LSB_FIRST
              RT_ICON0x7a7100x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
              RT_ICON0x7ccb80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
              RT_ICON0x7dd600x10828dBase III DBT, version number 0, next free block index 40
              RT_ICON0x8e5880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
              RT_DIALOG0x927b00x100dataEnglishUnited States
              RT_DIALOG0x928b00x11cdataEnglishUnited States
              RT_DIALOG0x929cc0x60dataEnglishUnited States
              RT_GROUP_ICON0x92a2c0x5adata
              RT_MANIFEST0x92a880x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
              SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
              ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
              COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
              USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
              GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
              KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 8, 2021 17:21:19.430593967 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.532866955 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.533004999 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.573600054 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.693836927 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.693979979 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.836230993 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.836409092 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:19.940630913 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:19.953306913 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.106357098 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116871119 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116904974 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116926908 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.116954088 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.117017984 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.117078066 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219286919 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219361067 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219405890 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219470978 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219481945 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219507933 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219527960 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219541073 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219568968 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219598055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.219620943 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.219640970 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324055910 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324091911 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324115038 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324136019 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324157000 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324179888 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324191093 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324202061 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324229002 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324234962 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324245930 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324254990 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324276924 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324300051 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324325085 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324326038 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324341059 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324347973 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324368000 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324373007 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324394941 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324421883 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.324435949 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.324457884 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426434994 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426480055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426508904 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426534891 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426575899 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426613092 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426630020 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426719904 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426748991 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426774025 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426779985 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426826000 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426866055 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426896095 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426933050 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.426947117 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.426964998 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427022934 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427048922 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427067995 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427078009 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427104950 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427105904 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427133083 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427146912 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427161932 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427195072 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427242994 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427277088 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427586079 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427612066 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427658081 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427669048 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427670956 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427755117 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427784920 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427817106 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427830935 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427848101 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427860022 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427876949 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427902937 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427927017 CEST497088092192.168.2.540.71.91.165
              Apr 8, 2021 17:21:20.427942991 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427963018 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427989006 CEST80924970840.71.91.165192.168.2.5
              Apr 8, 2021 17:21:20.427989006 CEST497088092192.168.2.540.71.91.165

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 8, 2021 17:20:52.777942896 CEST6530753192.168.2.58.8.8.8
              Apr 8, 2021 17:20:52.792874098 CEST53653078.8.8.8192.168.2.5
              Apr 8, 2021 17:20:52.908107042 CEST6434453192.168.2.58.8.8.8
              Apr 8, 2021 17:20:52.920916080 CEST53643448.8.8.8192.168.2.5
              Apr 8, 2021 17:20:53.738787889 CEST6206053192.168.2.58.8.8.8
              Apr 8, 2021 17:20:53.753365040 CEST53620608.8.8.8192.168.2.5
              Apr 8, 2021 17:20:54.499186993 CEST6180553192.168.2.58.8.8.8
              Apr 8, 2021 17:20:54.512229919 CEST53618058.8.8.8192.168.2.5
              Apr 8, 2021 17:20:54.952914000 CEST5479553192.168.2.58.8.8.8
              Apr 8, 2021 17:20:54.971004009 CEST53547958.8.8.8192.168.2.5
              Apr 8, 2021 17:21:03.811711073 CEST4955753192.168.2.58.8.8.8
              Apr 8, 2021 17:21:03.824161053 CEST53495578.8.8.8192.168.2.5
              Apr 8, 2021 17:21:04.628942966 CEST6173353192.168.2.58.8.8.8
              Apr 8, 2021 17:21:04.642151117 CEST53617338.8.8.8192.168.2.5
              Apr 8, 2021 17:21:06.808931112 CEST6544753192.168.2.58.8.8.8
              Apr 8, 2021 17:21:06.822011948 CEST53654478.8.8.8192.168.2.5
              Apr 8, 2021 17:21:07.621742010 CEST5244153192.168.2.58.8.8.8
              Apr 8, 2021 17:21:07.634968996 CEST53524418.8.8.8192.168.2.5
              Apr 8, 2021 17:21:09.236407995 CEST6217653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:09.249181986 CEST53621768.8.8.8192.168.2.5
              Apr 8, 2021 17:21:16.772994041 CEST5959653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:16.785816908 CEST53595968.8.8.8192.168.2.5
              Apr 8, 2021 17:21:17.609308958 CEST6529653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:17.623075962 CEST53652968.8.8.8192.168.2.5
              Apr 8, 2021 17:21:19.230293989 CEST6318353192.168.2.58.8.8.8
              Apr 8, 2021 17:21:19.411761999 CEST53631838.8.8.8192.168.2.5
              Apr 8, 2021 17:21:20.604794979 CEST6015153192.168.2.58.8.8.8
              Apr 8, 2021 17:21:20.645472050 CEST53601518.8.8.8192.168.2.5
              Apr 8, 2021 17:21:29.107058048 CEST5696953192.168.2.58.8.8.8
              Apr 8, 2021 17:21:29.293220043 CEST53569698.8.8.8192.168.2.5
              Apr 8, 2021 17:21:34.792303085 CEST5516153192.168.2.58.8.8.8
              Apr 8, 2021 17:21:34.808309078 CEST53551618.8.8.8192.168.2.5
              Apr 8, 2021 17:21:41.324934959 CEST5475753192.168.2.58.8.8.8
              Apr 8, 2021 17:21:41.338340998 CEST53547578.8.8.8192.168.2.5
              Apr 8, 2021 17:21:44.674228907 CEST4999253192.168.2.58.8.8.8
              Apr 8, 2021 17:21:44.686163902 CEST53499928.8.8.8192.168.2.5
              Apr 8, 2021 17:21:48.354012966 CEST6007553192.168.2.58.8.8.8
              Apr 8, 2021 17:21:48.535795927 CEST53600758.8.8.8192.168.2.5
              Apr 8, 2021 17:21:55.362834930 CEST5501653192.168.2.58.8.8.8
              Apr 8, 2021 17:21:55.377132893 CEST53550168.8.8.8192.168.2.5
              Apr 8, 2021 17:21:57.871968031 CEST6434553192.168.2.58.8.8.8
              Apr 8, 2021 17:21:57.891774893 CEST53643458.8.8.8192.168.2.5
              Apr 8, 2021 17:22:01.625776052 CEST5712853192.168.2.58.8.8.8
              Apr 8, 2021 17:22:01.638365984 CEST53571288.8.8.8192.168.2.5
              Apr 8, 2021 17:22:07.701024055 CEST5479153192.168.2.58.8.8.8
              Apr 8, 2021 17:22:07.714009047 CEST53547918.8.8.8192.168.2.5
              Apr 8, 2021 17:22:14.676337957 CEST5046353192.168.2.58.8.8.8
              Apr 8, 2021 17:22:14.888746977 CEST53504638.8.8.8192.168.2.5
              Apr 8, 2021 17:22:19.713126898 CEST5039453192.168.2.58.8.8.8
              Apr 8, 2021 17:22:19.727790117 CEST53503948.8.8.8192.168.2.5
              Apr 8, 2021 17:22:25.775541067 CEST5853053192.168.2.58.8.8.8
              Apr 8, 2021 17:22:25.788817883 CEST53585308.8.8.8192.168.2.5
              Apr 8, 2021 17:22:31.701319933 CEST5381353192.168.2.58.8.8.8
              Apr 8, 2021 17:22:31.715224028 CEST53538138.8.8.8192.168.2.5
              Apr 8, 2021 17:22:33.610249043 CEST6373253192.168.2.58.8.8.8
              Apr 8, 2021 17:22:33.791585922 CEST53637328.8.8.8192.168.2.5
              Apr 8, 2021 17:22:34.250060081 CEST5734453192.168.2.58.8.8.8
              Apr 8, 2021 17:22:34.270764112 CEST53573448.8.8.8192.168.2.5
              Apr 8, 2021 17:22:39.213460922 CEST5445053192.168.2.58.8.8.8
              Apr 8, 2021 17:22:39.231551886 CEST53544508.8.8.8192.168.2.5
              Apr 8, 2021 17:22:40.763470888 CEST5926153192.168.2.58.8.8.8
              Apr 8, 2021 17:22:40.776850939 CEST53592618.8.8.8192.168.2.5
              Apr 8, 2021 17:22:47.613575935 CEST5715153192.168.2.58.8.8.8
              Apr 8, 2021 17:22:47.627650023 CEST53571518.8.8.8192.168.2.5
              Apr 8, 2021 17:22:51.380856037 CEST5941353192.168.2.58.8.8.8
              Apr 8, 2021 17:22:51.408750057 CEST53594138.8.8.8192.168.2.5
              Apr 8, 2021 17:22:53.967757940 CEST6051653192.168.2.58.8.8.8
              Apr 8, 2021 17:22:53.981085062 CEST53605168.8.8.8192.168.2.5
              Apr 8, 2021 17:23:00.772382021 CEST5164953192.168.2.58.8.8.8
              Apr 8, 2021 17:23:00.785746098 CEST53516498.8.8.8192.168.2.5

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Apr 8, 2021 17:21:19.230293989 CEST192.168.2.58.8.8.80x42aStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:29.107058048 CEST192.168.2.58.8.8.80x22b0Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:34.792303085 CEST192.168.2.58.8.8.80x6924Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:41.324934959 CEST192.168.2.58.8.8.80xc909Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:48.354012966 CEST192.168.2.58.8.8.80x1522Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:21:55.362834930 CEST192.168.2.58.8.8.80xbe28Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:01.625776052 CEST192.168.2.58.8.8.80xb9feStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:07.701024055 CEST192.168.2.58.8.8.80x8a6Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:14.676337957 CEST192.168.2.58.8.8.80xd02aStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:19.713126898 CEST192.168.2.58.8.8.80xab6aStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:25.775541067 CEST192.168.2.58.8.8.80xafbfStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:33.610249043 CEST192.168.2.58.8.8.80x47e1Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:40.763470888 CEST192.168.2.58.8.8.80x9db0Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:47.613575935 CEST192.168.2.58.8.8.80x6edcStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:22:53.967757940 CEST192.168.2.58.8.8.80x116fStandard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)
              Apr 8, 2021 17:23:00.772382021 CEST192.168.2.58.8.8.80x73b1Standard query (0)backu4734.duckdns.orgA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Apr 8, 2021 17:21:19.411761999 CEST8.8.8.8192.168.2.50x42aNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:29.293220043 CEST8.8.8.8192.168.2.50x22b0No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:34.808309078 CEST8.8.8.8192.168.2.50x6924No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:41.338340998 CEST8.8.8.8192.168.2.50xc909No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:48.535795927 CEST8.8.8.8192.168.2.50x1522No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:21:55.377132893 CEST8.8.8.8192.168.2.50xbe28No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:01.638365984 CEST8.8.8.8192.168.2.50xb9feNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:07.714009047 CEST8.8.8.8192.168.2.50x8a6No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:14.888746977 CEST8.8.8.8192.168.2.50xd02aNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:19.727790117 CEST8.8.8.8192.168.2.50xab6aNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:25.788817883 CEST8.8.8.8192.168.2.50xafbfNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:33.791585922 CEST8.8.8.8192.168.2.50x47e1No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:40.776850939 CEST8.8.8.8192.168.2.50x9db0No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:47.627650023 CEST8.8.8.8192.168.2.50x6edcNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:22:53.981085062 CEST8.8.8.8192.168.2.50x116fNo error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)
              Apr 8, 2021 17:23:00.785746098 CEST8.8.8.8192.168.2.50x73b1No error (0)backu4734.duckdns.org40.71.91.165A (IP address)IN (0x0001)

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: bGf2H3tXGg.exe PID: 4656 Parent PID: 5736

              General

              Start time:17:20:58
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\bGf2H3tXGg.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.255989903.00000000029B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: bGf2H3tXGg.exe PID: 204 Parent PID: 4656

              General

              Start time:17:21:09
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\bGf2H3tXGg.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.494409950.0000000004E72000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000001.247277523.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.488378947.00000000021D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.493792875.00000000036D7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.488999685.00000000023D1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.489075151.000000000243C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.485375087.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.486901430.0000000000658000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.493192985.0000000003464000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              Analysis Process: schtasks.exe PID: 6280 Parent PID: 204

              General

              Start time:17:21:16
              Start date:08/04/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE28.tmp'
              Imagebase:0xb50000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: conhost.exe PID: 6288 Parent PID: 6280

              General

              Start time:17:21:16
              Start date:08/04/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7ecfc0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: schtasks.exe PID: 6320 Parent PID: 204

              General

              Start time:17:21:17
              Start date:08/04/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE0E8.tmp'
              Imagebase:0x7ff797770000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: conhost.exe PID: 6456 Parent PID: 6320

              General

              Start time:17:21:17
              Start date:08/04/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7ecfc0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: bGf2H3tXGg.exe PID: 6468 Parent PID: 904

              General

              Start time:17:21:17
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\bGf2H3tXGg.exe 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306005261.00000000029B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 6600 Parent PID: 904

              General

              Start time:17:21:20
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.311997780.00000000028B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 51%, Virustotal, Browse
              • Detection: 16%, Metadefender, Browse
              • Detection: 69%, ReversingLabs
              Reputation:low

              Analysis Process: bGf2H3tXGg.exe PID: 6704 Parent PID: 6468

              General

              Start time:17:21:28
              Start date:08/04/2021
              Path:C:\Users\user\Desktop\bGf2H3tXGg.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\bGf2H3tXGg.exe 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318797223.00000000034E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318707635.00000000024E1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.317545365.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000001.300644075.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.319988300.0000000004A82000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318495205.0000000000859000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318765961.0000000002530000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.319780906.0000000004960000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.318855204.000000000351C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 6752 Parent PID: 3472

              General

              Start time:17:21:29
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.324052877.0000000002870000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 6816 Parent PID: 6600

              General

              Start time:17:21:31
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323797763.0000000002561000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323934536.0000000003561000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.326163063.0000000004A62000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323984965.000000000359C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323578165.00000000024C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.322836165.000000000050C000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.323888903.00000000025B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.322659318.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 6212 Parent PID: 6752

              General

              Start time:17:21:42
              Start date:08/04/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:702907 bytes
              MD5 hash:F72A7FD231E50F9B43C3DAB470364846
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000001.319250838.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.338981000.00000000023B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339113549.0000000002432000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339334436.00000000034CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339271124.00000000024E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339201684.0000000002491000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.339302702.0000000003491000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.338373270.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.338595453.00000000005A8000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >