Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report cd61fe0ebfe9f6326cd5a4df9747e72c.exe

Overview

General Information

Sample Name:cd61fe0ebfe9f6326cd5a4df9747e72c.exe
Analysis ID:402423
MD5:cafe59d79e00e211548d5e569931e70e
SHA1:d7fbfd97e93dec7490ef06c24e2d373127ce56eb
SHA256:4b603d683f975207871344aa9790ac649bd15c98cceecf626b92a1d3d8fd85f4
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cd61fe0ebfe9f6326cd5a4df9747e72c.exe (PID: 5644 cmdline: 'C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe' MD5: CAFE59D79E00E211548D5E569931E70E)
    • cd61fe0ebfe9f6326cd5a4df9747e72c.exe (PID: 2160 cmdline: {path} MD5: CAFE59D79E00E211548D5E569931E70E)
      • schtasks.exe (PID: 5828 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5868 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp84B1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 3156 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CAFE59D79E00E211548D5E569931E70E)
    • dhcpmon.exe (PID: 5844 cmdline: {path} MD5: CAFE59D79E00E211548D5E569931E70E)
    • dhcpmon.exe (PID: 5064 cmdline: {path} MD5: CAFE59D79E00E211548D5E569931E70E)
  • dhcpmon.exe (PID: 6124 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CAFE59D79E00E211548D5E569931E70E)
    • dhcpmon.exe (PID: 3468 cmdline: {path} MD5: CAFE59D79E00E211548D5E569931E70E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "25d2fcba-c6f2-4766-acfe-f43fa2f1", "Group": "saviour", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5456, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.489985311.0000000005940000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000001.00000002.489985311.0000000005940000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 67 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.dhcpmon.exe.2fbec20.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      14.2.dhcpmon.exe.2fbec20.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      12.2.dhcpmon.exe.42205dc.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      12.2.dhcpmon.exe.42205dc.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      12.2.dhcpmon.exe.42205dc.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 124 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe, ProcessId: 2160, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe, ParentProcessId: 2160, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp', ProcessId: 5828

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "25d2fcba-c6f2-4766-acfe-f43fa2f1", "Group": "saviour", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5456, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: cloudhost.myfirewall.orgVirustotal: Detection: 8%Perma Link
        Source: cloudhost.myfirewall.orgVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 23%
        Multi AV Scanner detection for submitted fileShow sources
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeReversingLabs: Detection: 25%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.484987240.0000000003411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a74c05.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4224c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd4c05.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4464c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6894629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPE
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: dows\dll\mscorlib.pdbGk source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.483797356.00000000015D2000.00000004.00000020.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: cloudhost.myfirewall.org
        Source: global trafficTCP traffic: 192.168.2.3:49700 -> 45.154.4.64:5456
        Source: Joe Sandbox ViewIP Address: 45.154.4.64 45.154.4.64
        Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
        Source: unknownDNS traffic detected: queries for: cloudhost.myfirewall.org
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com;y
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comWxU
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commc
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.214236957.000000000606E000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.213440503.000000000606E000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.213413683.000000000606E000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comEF
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.213423068.000000000604B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comY
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.484987240.0000000003411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a74c05.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4224c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd4c05.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4464c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6894629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.489985311.0000000005940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.292765353.0000000002A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.2fbec20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.42205dc.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3209dd0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.3fd05dc.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a74c05.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.4224c05.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.343ca68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.3fd4c05.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.5940000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4464c05.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.2a89714.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.42205dc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6894629.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.2a4cd70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.3fd05dc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_015BC204
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_015BE5D0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_015BE5C0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02ECE240
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02ECEB10
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC2930
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC12E8
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC12D8
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02ECE235
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC0040
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC0006
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02ECDEF8
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC4D4C
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC4D50
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F47B10
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F40040
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F43910
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F43678
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F433B0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F433A0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F43900
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_0182E480
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_0182E471
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_0182BBD4
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_0589F5F8
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_05899788
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_0589A5D0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_0589A610
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136C204
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136E5D0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136E5C3
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3E240
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3EB10
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C32930
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C312D8
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C312E8
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C30040
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3001B
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3DEF8
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3470A
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C34D50
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C34D3B
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02CB0040
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02CB3910
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02CB3678
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02CB33A0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02CB33B0
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02CB3900
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02CB3668
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02EEF648
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02EE4970
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0151C204
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0151E5D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0151E5C0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E6E240
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E6EB10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E62930
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E612E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E612D8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E60040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E60006
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E6470A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E6DEF8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E64C7A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02E64D50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE0040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE3910
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE3678
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE33A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE33B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE3900
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE3668
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02EE7C18
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000000.211226487.0000000000C3C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHWZinl0yCvGMAUeP.exeN vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.234506945.0000000003134000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.246177375.0000000007C00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000000.232533017.0000000000F6C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHWZinl0yCvGMAUeP.exeN vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.490502818.00000000067A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.483761727.00000000015AA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.491028151.00000000073B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278084679.00000000054D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000000.247575196.0000000000ACC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHWZinl0yCvGMAUeP.exeN vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.280617361.0000000007280000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.267849385.000000000115A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 0000000A.00000002.289320632.000000000065C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHWZinl0yCvGMAUeP.exeN vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 0000000A.00000002.292765353.0000000002A59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 0000000A.00000002.291022910.0000000000C7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeBinary or memory string: OriginalFilenameHWZinl0yCvGMAUeP.exeN vs cd61fe0ebfe9f6326cd5a4df9747e72c.exe
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 00000001.00000002.489985311.0000000005940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.489985311.0000000005940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.292765353.0000000002A59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.2fbec20.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.2fbec20.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.42205dc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.42205dc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3209dd0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3209dd0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.3fd05dc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3fd05dc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a74c05.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a74c05.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.4224c05.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.4224c05.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.343ca68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.343ca68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.3fd4c05.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3fd4c05.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.5940000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.5940000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4464c05.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4464c05.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.2a89714.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.2a89714.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.42205dc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.42205dc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6894629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6894629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.2a4cd70.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.2a4cd70.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.dhcpmon.exe.3fd05dc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.3fd05dc.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.214715437.000000000606D000.00000004.00000001.sdmpBinary or memory string: 0s.slnt
        Source: classification engineClassification label: mal100.troj.evad.winEXE@20/8@7/2
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cd61fe0ebfe9f6326cd5a4df9747e72c.exe.logJump to behavior
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{25d2fcba-c6f2-4766-acfe-f43fa2f1c231}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8193.tmpJump to behavior
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeReversingLabs: Detection: 25%
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeFile read: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe 'C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe'
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe {path}
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp84B1.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe {path}
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp'
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp84B1.tmp'
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: dows\dll\mscorlib.pdbGk source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.483797356.00000000015D2000.00000004.00000020.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_015B6BB9 push 1405566Ah; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC2C42 push edx; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02EC9DAB pushad ; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_058969F8 pushad ; retf
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 1_2_058969FB push esp; retf
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_01364101 push ecx; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_013641FB push ebp; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_013641C1 push esp; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_013640C3 push eax; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_013640C1 push eax; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_013642B1 push esi; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_01364537 push edi; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136453B push edi; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_01364471 push edi; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_013644F0 push edi; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136B361 pushfd ; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136B251 pushfd ; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136B2A8 pushfd ; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_0136B413 pushfd ; iretd
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3CAC4 pushad ; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C322D7 push ds; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C35AF3 push ebp; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3225B push ds; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C35387 push ecx; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C35B47 push ebp; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C35B57 push esi; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C35B5F push esp; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C35360 push ebx; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3536B push ecx; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C3536F push ecx; ret
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 6_2_02C35373 push ebx; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.37345059392
        Source: initial sampleStatic PE information: section name: .text entropy: 7.37345059392
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeFile opened: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORY
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.234444553.00000000030E1000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.271289250.0000000002F01000.00000004.00000001.sdmp, dhcpmon.exe, 00000007.00000002.271593966.0000000003051000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.234444553.00000000030E1000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.271289250.0000000002F01000.00000004.00000001.sdmp, dhcpmon.exe, 00000007.00000002.271593966.0000000003051000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeWindow / User API: threadDelayed 7326
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeWindow / User API: threadDelayed 1968
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeWindow / User API: foregroundWindowGot 855
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe TID: 5680Thread sleep time: -31500s >= -30000s
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe TID: 5648Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe TID: 5904Thread sleep time: -9223372036854770s >= -30000s
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe TID: 6056Thread sleep time: -31500s >= -30000s
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe TID: 4952Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4220Thread sleep time: -31500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2436Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6068Thread sleep time: -31500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5880Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe TID: 5044Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5728Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4920Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 31500
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 31500
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 31500
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 31500
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 00000007.00000002.289250340.0000000008861000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 00000007.00000002.289250340.0000000008861000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware3UW3EG5WWin32_VideoControllerOKLWC7_2VideoController120060621000000.000000-00078512323display.infMSBDATN6AAWCLPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsSX6PK4_V
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.281654044.000000000E2C0000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware3UW3EG5WWin32_VideoControllerOKLWC7_2VideoController120060621000000.000000-00078512323display.infMSBDATN6AAWCLPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsSX6PK4_Vl
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.491028151.00000000073B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.483866370.000000000163E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(V~q
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.491028151.00000000073B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.491028151.00000000073B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: dhcpmon.exe, 00000009.00000002.292078736.0000000003121000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.249217026.000000000EB60000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware3UW3EG5WWin32_VideoControllerOKLWC7_2VideoController120060621000000.000000-00078512323display.infMSBDATN6AAWCLPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsSX6PK4_VO
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.491028151.00000000073B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeMemory written: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeMemory written: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe {path}
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp'
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp84B1.tmp'
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeProcess created: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.486359950.000000000350D000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.484100244.0000000001CE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.484100244.0000000001CE0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.484100244.0000000001CE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeCode function: 0_2_02F42FC8 GetUserNameA,
        Source: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.484987240.0000000003411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a74c05.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4224c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd4c05.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4464c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6894629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.484987240.0000000003411000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3468, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5064, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3156, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6124, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a74c05.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.4224c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a6b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fcb7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd4c05.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4464c05.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.44605dc.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4142e10.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.42205dc.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6894629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.3a705dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.4322e10.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.421b7a6.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.445b7a6.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.3fd05dc.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.4292e10.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.406c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.4362e10.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.41bc9c0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.428c9c0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.424c9c0.1.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading2Input Capture11Security Software Discovery311Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 402423 Sample: cd61fe0ebfe9f6326cd5a4df974... Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 11 other signatures 2->59 8 cd61fe0ebfe9f6326cd5a4df9747e72c.exe 3 2->8         started        12 dhcpmon.exe 3 2->12         started        14 cd61fe0ebfe9f6326cd5a4df9747e72c.exe 2 2->14         started        16 dhcpmon.exe 2 2->16         started        process3 file4 47 cd61fe0ebfe9f6326cd5a4df9747e72c.exe.log, ASCII 8->47 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 8->65 67 Injects a PE file into a foreign processes 8->67 18 cd61fe0ebfe9f6326cd5a4df9747e72c.exe 1 12 8->18         started        23 dhcpmon.exe 12->23         started        25 dhcpmon.exe 12->25         started        27 cd61fe0ebfe9f6326cd5a4df9747e72c.exe 14->27         started        29 dhcpmon.exe 16->29         started        signatures5 process6 dnsIp7 49 cloudhost.myfirewall.org 45.154.4.64, 5456 COMBAHTONcombahtonGmbHDE Netherlands 18->49 51 192.168.2.1 unknown unknown 18->51 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, data 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp8193.tmp, XML 18->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->45 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        file8 signatures9 process10 process11 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        cd61fe0ebfe9f6326cd5a4df9747e72c.exe26%ReversingLabsByteCode-MSIL.Packed.Generic

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe23%ReversingLabsByteCode-MSIL.Packed.Generic

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        10.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.cd61fe0ebfe9f6326cd5a4df9747e72c.exe.6890000.10.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        SourceDetectionScannerLabelLink
        cloudhost.myfirewall.org8%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        cloudhost.myfirewall.org8%VirustotalBrowse
        cloudhost.myfirewall.org0%Avira URL Cloudsafe
        http://www.carterandcone.comn-u0%URL Reputationsafe
        http://www.carterandcone.comn-u0%URL Reputationsafe
        http://www.carterandcone.comn-u0%URL Reputationsafe
        http://www.carterandcone.comn-u0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.fontbureau.commc0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.fontbureau.come.com0%URL Reputationsafe
        http://www.fontbureau.come.com0%URL Reputationsafe
        http://www.fontbureau.come.com0%URL Reputationsafe
        http://www.fontbureau.come.com0%URL Reputationsafe
        http://www.fonts.comY0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.fonts.comEF0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.carterandcone.comWxU0%Avira URL Cloudsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.carterandcone.com;y0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        cloudhost.myfirewall.org
        		45.154.4.64
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        cloudhost.myfirewall.orgtrue
        • 8%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
              		high
              http://www.carterandcone.comn-ucd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/?cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bThecd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.commccd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comdhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersdhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.come.comcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comYcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.213423068.000000000604B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comlcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cThecd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comEFcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.213413683.000000000606E000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cncd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comWxUcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.commcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasecd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comgritocd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.233257404.0000000006038000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.214236957.000000000606E000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.213440503.000000000606E000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleasecd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cncd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.comcd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000002.243134558.0000000007242000.00000004.00000001.sdmp, cd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000006.00000002.278971780.0000000005EF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000007.00000002.279684540.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.299680250.0000000006130000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.com;ycd61fe0ebfe9f6326cd5a4df9747e72c.exe, 00000000.00000003.215119178.000000000606E000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            45.154.4.64
                            		cloudhost.myfirewall.orgNetherlands
                            		30823COMBAHTONcombahtonGmbHDEtrue

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:402423
                            Start date:03.05.2021
                            Start time:06:12:09
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 13m 6s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:25
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@20/8@7/2
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • Excluded IPs from analysis (whitelisted): 40.88.32.150, 168.61.161.212, 104.43.139.144, 13.64.90.137, 2.20.84.85
                            • Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            06:13:08API Interceptor941x Sleep call for process: cd61fe0ebfe9f6326cd5a4df9747e72c.exe modified
                            06:13:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            06:13:16Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe" s>$(Arg0)
                            06:13:17Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                            06:13:23API Interceptor4x Sleep call for process: dhcpmon.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            45.154.4.648mOB0MBW71.exeGet hashmaliciousBrowse
                              16j7nmOOPS.exeGet hashmaliciousBrowse
                                RFQ_Quotation_33645.jarGet hashmaliciousBrowse
                                  RFQ_Quotation_33645.jarGet hashmaliciousBrowse
                                    c86d280b0c5cb985372fa7a0260cabb9.exeGet hashmaliciousBrowse
                                      edc1948e07209992d4eb51b64c3c102a.exeGet hashmaliciousBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        cloudhost.myfirewall.orgPyQdnx9PHg.exeGet hashmaliciousBrowse
                                        • 31.210.21.252
                                        GO1eovBADG.exeGet hashmaliciousBrowse
                                        • 45.85.90.92
                                        9nNELqsesC.exeGet hashmaliciousBrowse
                                        • 46.183.220.67
                                        180421 PDA Request for Quotation.docGet hashmaliciousBrowse
                                        • 46.183.220.67
                                        edc1948e07209992d4eb51b64c3c102a.exeGet hashmaliciousBrowse
                                        • 45.154.4.64
                                        1RevKocjWoyhJ3y.exeGet hashmaliciousBrowse
                                        • 45.154.4.68
                                        bbbe7872ea466446da60c4da50020cbb.exeGet hashmaliciousBrowse
                                        • 79.134.225.105
                                        e92b274943f4a3a557881ee0dd57772d.exeGet hashmaliciousBrowse
                                        • 79.134.225.105
                                        256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                        • 79.134.225.105
                                        9a08c8a2b49d6348f2ef35f85a1c6351.exeGet hashmaliciousBrowse
                                        • 79.134.225.105
                                        zSDBuG8gDl.exeGet hashmaliciousBrowse
                                        • 185.229.243.67
                                        65d1beae1fc7eb126cd4a9b277afb942.exeGet hashmaliciousBrowse
                                        • 79.134.225.96
                                        f2a22415c1b108ce91fd76e3320431d0.exeGet hashmaliciousBrowse
                                        • 79.134.225.105
                                        1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                        • 79.134.225.105
                                        5134b758f8eb77424254ce67f4697ffe.exeGet hashmaliciousBrowse
                                        • 79.134.225.96
                                        1d8eff2bc76e46dc186fa501e24f5cb1.exeGet hashmaliciousBrowse
                                        • 79.134.225.96
                                        460f7e6048ed3ca91f1573a7410fedd6.exeGet hashmaliciousBrowse
                                        • 79.134.225.96
                                        1d78424ce6944359d546dbcbc030f19e.exeGet hashmaliciousBrowse
                                        • 79.134.225.105

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        COMBAHTONcombahtonGmbHDESecuriteInfo.com.Trojan.GenericKD.46134463.32139.exeGet hashmaliciousBrowse
                                        • 152.89.247.94
                                        SecuriteInfo.com.Trojan.GenericKD.46134463.32139.exeGet hashmaliciousBrowse
                                        • 152.89.247.94
                                        Payu transfer form.scr.exeGet hashmaliciousBrowse
                                        • 45.154.4.187
                                        6Lxyp86O5r.exeGet hashmaliciousBrowse
                                        • 185.223.28.241
                                        Payu transfer form.scr.exeGet hashmaliciousBrowse
                                        • 45.154.4.187
                                        t.exeGet hashmaliciousBrowse
                                        • 185.234.72.193
                                        Payu Remittance.scr.exeGet hashmaliciousBrowse
                                        • 45.154.4.187
                                        8mOB0MBW71.exeGet hashmaliciousBrowse
                                        • 45.154.4.64
                                        16j7nmOOPS.exeGet hashmaliciousBrowse
                                        • 45.154.4.64
                                        PRODUCT LIST.exeGet hashmaliciousBrowse
                                        • 152.89.247.26
                                        ggg6d3cpLN.exeGet hashmaliciousBrowse
                                        • 45.147.229.85
                                        RFQ_Quotation_33645.jarGet hashmaliciousBrowse
                                        • 45.154.4.64
                                        RFQ_Quotation_33645.jarGet hashmaliciousBrowse
                                        • 45.154.4.64
                                        COBxDiCIPE.exeGet hashmaliciousBrowse
                                        • 185.234.72.84
                                        q8kLYww20p.exeGet hashmaliciousBrowse
                                        • 185.150.25.183
                                        WVfZC9E9zy.xlsmGet hashmaliciousBrowse
                                        • 160.20.147.241
                                        c86d280b0c5cb985372fa7a0260cabb9.exeGet hashmaliciousBrowse
                                        • 45.154.4.64
                                        edc1948e07209992d4eb51b64c3c102a.exeGet hashmaliciousBrowse
                                        • 45.154.4.64
                                        1kg67oWywx.exeGet hashmaliciousBrowse
                                        • 45.153.240.131
                                        4CEbLdyJkK.exeGet hashmaliciousBrowse
                                        • 160.20.147.195

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Process:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):817664
                                        Entropy (8bit):7.372197931665627
                                        Encrypted:false
                                        SSDEEP:24576:mcoLAtztGneLJo9ilgwrTB5PLZ6mz9U4F:rGnkJo9Mgwr15N6mzqQ
                                        MD5:CAFE59D79E00E211548D5E569931E70E
                                        SHA1:D7FBFD97E93DEC7490EF06C24E2D373127CE56EB
                                        SHA-256:4B603D683F975207871344AA9790AC649BD15C98CCEECF626B92A1D3D8FD85F4
                                        SHA-512:5FFB8743EAF17CA74EFF460731F5E1835943DCF4C603D0137B1CF5236CA9981E4141A5C4997D006473B7272E14C11C431B1CE57D7C2CEA818934719D832C6ABA
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 23%
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.`.................p............... ........@.. ....................................@.................................,...W.................................................................................... ............... ..H............text....n... ...p.................. ..`.reloc...............r..............@..B.rsrc................t..............@..@................h.......H.......HE...H...........o..............................................z.(......}.....(....o....}....*..*...0...........{......E............8...Z...u................*..}..... ].4S}......}.....*..}..... ..Q.}......}.....*..}......{.... Km.a}......}.....*..}..... ,...}......}.....*..}......{.... ..=.a}......}.....*..}..... ....}......}.....*..}..... "G.R}......}.....*..}.....*...{....*.s....z.2.{.....4...*....0..<........{......3..{....(....o....3...}......+..s.......{....}..
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cd61fe0ebfe9f6326cd5a4df9747e72c.exe.log
                                        Process:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1308
                                        Entropy (8bit):5.345811588615766
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1308
                                        Entropy (8bit):5.345811588615766
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\tmp8193.tmp
                                        Process:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1322
                                        Entropy (8bit):5.152508680113646
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0fuhxtn:cbk4oL600QydbQxIYODOLedq3wyj
                                        MD5:2E01729C4CBFA0824FA19C502719E1F0
                                        SHA1:6183FF20CE8E71DEABC0ABC7413395D2E02E5EB8
                                        SHA-256:96F7EF60688D6A41E8DAAD7A371C7F2A7D7C5F708BACD4D56A43DDE8B39F5E51
                                        SHA-512:A72B5096B25BB08949DE4F0162D691DD7DCA1DB60DC885FB741FE8618F6E80F6F304DE03DC1C5C12637F3EF2E551EDC55FA7D2885F846D5DDCC637E19635B8FB
                                        Malicious:true
                                        Reputation:low
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmp84B1.tmp
                                        Process:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):1310
                                        Entropy (8bit):5.109425792877704
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                        Process:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:rM8t:Q8t
                                        MD5:77632B38511A41BC3CE512B7978C4FAE
                                        SHA1:E0C5DEB12A9147E2BF51B16CAB9F80A66DBABD4B
                                        SHA-256:3A271C465E23FBF037C0F8EEC583907F50C191A784C25D39D69D7201D6028DE5
                                        SHA-512:6DB8F6C8251804470F240957A14C0F6A0DCE8756C18906274315F7FE4180E23AA08BE19A1C6AED5AB767C97D8CDD5F98EA72F5D8BF487607B968A6538CF91356
                                        Malicious:true
                                        Preview: .45..H
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                        Process:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):59
                                        Entropy (8bit):4.577226947520249
                                        Encrypted:false
                                        SSDEEP:3:oNWXp5vGBTADDtS3XGkAn:oNWXpFGBTAnt+XbAn
                                        MD5:373D4A56D721AF230683199455B12D66
                                        SHA1:984A973960B5A38C02B9D40D720BC8AC3196CD08
                                        SHA-256:987F84DCEBA7442776AB9D69C1967C7645C260DD45FC8D3442DA15456C986A39
                                        SHA-512:E23C87238CADF40A7B84FB1BC54BB60466F241FC2514B97755D99D4CE09A931AA0D4E3BC3A910D92FC65AB6FB58F364ACFD4D497C7304A8C305F814326A1BB5F
                                        Malicious:false
                                        Preview: C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.372197931665627
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        File size:817664
                                        MD5:cafe59d79e00e211548d5e569931e70e
                                        SHA1:d7fbfd97e93dec7490ef06c24e2d373127ce56eb
                                        SHA256:4b603d683f975207871344aa9790ac649bd15c98cceecf626b92a1d3d8fd85f4
                                        SHA512:5ffb8743eaf17ca74eff460731f5e1835943dcf4c603d0137b1cf5236ca9981e4141a5c4997d006473b7272e14c11c431b1ce57d7c2cea818934719d832c6aba
                                        SSDEEP:24576:mcoLAtztGneLJo9ilgwrTB5PLZ6mz9U4F:rGnkJo9Mgwr15N6mzqQ
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.`.................p............... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4c8e86
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x608F6C8D [Mon May 3 03:22:53 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e2c0x57.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x5ec.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xc6e8c0xc7000False0.748219859061data7.37345059392IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .reloc0xca0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .rsrc0xcc0000x5ec0x600False0.444010416667data4.2368443366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0xcc0a00x398data
                                        RT_MANIFEST0xcc4380x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright Microsoft 2010
                                        Assembly Version1.0.0.0
                                        InternalNameHWZinl0yCvGMAUeP.exe
                                        FileVersion1.0.0.0
                                        CompanyNameMicrosoft
                                        LegalTrademarks
                                        Comments
                                        ProductNameSingleton Vote Manager
                                        ProductVersion1.0.0.0
                                        FileDescriptionSingleton Vote Manager
                                        OriginalFilenameHWZinl0yCvGMAUeP.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 3, 2021 06:13:16.622473001 CEST497005456192.168.2.345.154.4.64
                                        May 3, 2021 06:13:19.662369013 CEST497005456192.168.2.345.154.4.64
                                        May 3, 2021 06:13:25.662859917 CEST497005456192.168.2.345.154.4.64
                                        May 3, 2021 06:13:36.689135075 CEST497045456192.168.2.345.154.4.64
                                        May 3, 2021 06:13:39.851622105 CEST497045456192.168.2.345.154.4.64
                                        May 3, 2021 06:13:45.852155924 CEST497045456192.168.2.345.154.4.64
                                        May 3, 2021 06:13:54.580380917 CEST497055456192.168.2.345.154.4.64
                                        May 3, 2021 06:13:57.587424994 CEST497055456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:03.603514910 CEST497055456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:12.012996912 CEST497065456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:15.026315928 CEST497065456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:21.042445898 CEST497065456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:30.479223013 CEST497075456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:33.480999947 CEST497075456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:39.497117996 CEST497075456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:48.508419037 CEST497085456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:51.513839960 CEST497085456192.168.2.345.154.4.64
                                        May 3, 2021 06:14:57.529858112 CEST497085456192.168.2.345.154.4.64
                                        May 3, 2021 06:15:05.136528015 CEST497095456192.168.2.345.154.4.64
                                        May 3, 2021 06:15:08.140086889 CEST497095456192.168.2.345.154.4.64
                                        May 3, 2021 06:15:14.140600920 CEST497095456192.168.2.345.154.4.64

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 3, 2021 06:12:53.469957113 CEST5413053192.168.2.38.8.8.8
                                        May 3, 2021 06:12:53.520760059 CEST53541308.8.8.8192.168.2.3
                                        May 3, 2021 06:12:54.490751028 CEST5696153192.168.2.38.8.8.8
                                        May 3, 2021 06:12:54.539424896 CEST53569618.8.8.8192.168.2.3
                                        May 3, 2021 06:12:55.392870903 CEST5935353192.168.2.38.8.8.8
                                        May 3, 2021 06:12:55.446100950 CEST53593538.8.8.8192.168.2.3
                                        May 3, 2021 06:12:56.179971933 CEST5223853192.168.2.38.8.8.8
                                        May 3, 2021 06:12:56.228651047 CEST53522388.8.8.8192.168.2.3
                                        May 3, 2021 06:12:57.057734966 CEST4987353192.168.2.38.8.8.8
                                        May 3, 2021 06:12:57.114573002 CEST53498738.8.8.8192.168.2.3
                                        May 3, 2021 06:12:57.992364883 CEST5319653192.168.2.38.8.8.8
                                        May 3, 2021 06:12:58.051346064 CEST53531968.8.8.8192.168.2.3
                                        May 3, 2021 06:12:59.227421045 CEST5677753192.168.2.38.8.8.8
                                        May 3, 2021 06:12:59.284674883 CEST53567778.8.8.8192.168.2.3
                                        May 3, 2021 06:13:00.317862988 CEST5864353192.168.2.38.8.8.8
                                        May 3, 2021 06:13:00.369373083 CEST53586438.8.8.8192.168.2.3
                                        May 3, 2021 06:13:01.572945118 CEST6098553192.168.2.38.8.8.8
                                        May 3, 2021 06:13:01.624459028 CEST53609858.8.8.8192.168.2.3
                                        May 3, 2021 06:13:02.770304918 CEST5020053192.168.2.38.8.8.8
                                        May 3, 2021 06:13:02.820998907 CEST53502008.8.8.8192.168.2.3
                                        May 3, 2021 06:13:03.684628963 CEST5128153192.168.2.38.8.8.8
                                        May 3, 2021 06:13:03.733345985 CEST53512818.8.8.8192.168.2.3
                                        May 3, 2021 06:13:04.689282894 CEST4919953192.168.2.38.8.8.8
                                        May 3, 2021 06:13:04.746345997 CEST53491998.8.8.8192.168.2.3
                                        May 3, 2021 06:13:05.649189949 CEST5062053192.168.2.38.8.8.8
                                        May 3, 2021 06:13:05.700603962 CEST53506208.8.8.8192.168.2.3
                                        May 3, 2021 06:13:06.856580973 CEST6493853192.168.2.38.8.8.8
                                        May 3, 2021 06:13:06.910275936 CEST53649388.8.8.8192.168.2.3
                                        May 3, 2021 06:13:07.891201973 CEST6015253192.168.2.38.8.8.8
                                        May 3, 2021 06:13:07.940021992 CEST53601528.8.8.8192.168.2.3
                                        May 3, 2021 06:13:08.798947096 CEST5754453192.168.2.38.8.8.8
                                        May 3, 2021 06:13:08.847690105 CEST53575448.8.8.8192.168.2.3
                                        May 3, 2021 06:13:10.204770088 CEST5598453192.168.2.38.8.8.8
                                        May 3, 2021 06:13:10.253529072 CEST53559848.8.8.8192.168.2.3
                                        May 3, 2021 06:13:16.544682026 CEST6418553192.168.2.38.8.8.8
                                        May 3, 2021 06:13:16.610896111 CEST53641858.8.8.8192.168.2.3
                                        May 3, 2021 06:13:26.608794928 CEST6511053192.168.2.38.8.8.8
                                        May 3, 2021 06:13:26.681531906 CEST53651108.8.8.8192.168.2.3
                                        May 3, 2021 06:13:36.598557949 CEST5836153192.168.2.38.8.8.8
                                        May 3, 2021 06:13:36.660099983 CEST53583618.8.8.8192.168.2.3
                                        May 3, 2021 06:13:54.522099018 CEST6349253192.168.2.38.8.8.8
                                        May 3, 2021 06:13:54.579246998 CEST53634928.8.8.8192.168.2.3
                                        May 3, 2021 06:14:11.950134993 CEST6083153192.168.2.38.8.8.8
                                        May 3, 2021 06:14:12.009407997 CEST53608318.8.8.8192.168.2.3
                                        May 3, 2021 06:14:30.416460037 CEST6010053192.168.2.38.8.8.8
                                        May 3, 2021 06:14:30.477823019 CEST53601008.8.8.8192.168.2.3
                                        May 3, 2021 06:14:48.437777042 CEST5319553192.168.2.38.8.8.8
                                        May 3, 2021 06:14:48.506958008 CEST53531958.8.8.8192.168.2.3
                                        May 3, 2021 06:15:05.074812889 CEST5014153192.168.2.38.8.8.8
                                        May 3, 2021 06:15:05.135440111 CEST53501418.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        May 3, 2021 06:13:16.544682026 CEST192.168.2.38.8.8.80x9ed6Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                        May 3, 2021 06:13:36.598557949 CEST192.168.2.38.8.8.80x50d7Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                        May 3, 2021 06:13:54.522099018 CEST192.168.2.38.8.8.80xb7feStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                        May 3, 2021 06:14:11.950134993 CEST192.168.2.38.8.8.80xa4b7Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                        May 3, 2021 06:14:30.416460037 CEST192.168.2.38.8.8.80x72adStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                        May 3, 2021 06:14:48.437777042 CEST192.168.2.38.8.8.80xe510Standard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)
                                        May 3, 2021 06:15:05.074812889 CEST192.168.2.38.8.8.80xef7fStandard query (0)cloudhost.myfirewall.orgA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        May 3, 2021 06:13:16.610896111 CEST8.8.8.8192.168.2.30x9ed6No error (0)cloudhost.myfirewall.org45.154.4.64A (IP address)IN (0x0001)
                                        May 3, 2021 06:13:36.660099983 CEST8.8.8.8192.168.2.30x50d7No error (0)cloudhost.myfirewall.org45.154.4.64A (IP address)IN (0x0001)
                                        May 3, 2021 06:13:54.579246998 CEST8.8.8.8192.168.2.30xb7feNo error (0)cloudhost.myfirewall.org45.154.4.64A (IP address)IN (0x0001)
                                        May 3, 2021 06:14:12.009407997 CEST8.8.8.8192.168.2.30xa4b7No error (0)cloudhost.myfirewall.org45.154.4.64A (IP address)IN (0x0001)
                                        May 3, 2021 06:14:30.477823019 CEST8.8.8.8192.168.2.30x72adNo error (0)cloudhost.myfirewall.org45.154.4.64A (IP address)IN (0x0001)
                                        May 3, 2021 06:14:48.506958008 CEST8.8.8.8192.168.2.30xe510No error (0)cloudhost.myfirewall.org45.154.4.64A (IP address)IN (0x0001)
                                        May 3, 2021 06:15:05.135440111 CEST8.8.8.8192.168.2.30xef7fNo error (0)cloudhost.myfirewall.org45.154.4.64A (IP address)IN (0x0001)

                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5644 Parent PID: 5776

                                        General

                                        Start time:06:13:00
                                        Start date:03/05/2021
                                        Path:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe'
                                        Imagebase:0xb70000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.237161561.00000000040E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2160 Parent PID: 5644

                                        General

                                        Start time:06:13:10
                                        Start date:03/05/2021
                                        Path:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xea0000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.489985311.0000000005940000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.489985311.0000000005940000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.488801787.0000000004459000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.484987240.0000000003411000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.479870738.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.490630071.0000000006890000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 5828 Parent PID: 2160

                                        General

                                        Start time:06:13:13
                                        Start date:03/05/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8193.tmp'
                                        Imagebase:0x1f0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 5772 Parent PID: 5828

                                        General

                                        Start time:06:13:13
                                        Start date:03/05/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: schtasks.exe PID: 5868 Parent PID: 2160

                                        General

                                        Start time:06:13:13
                                        Start date:03/05/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp84B1.tmp'
                                        Imagebase:0x1f0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 5872 Parent PID: 5868

                                        General

                                        Start time:06:13:14
                                        Start date:03/05/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 5932 Parent PID: 528

                                        General

                                        Start time:06:13:16
                                        Start date:03/05/2021
                                        Path:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe 0
                                        Imagebase:0xa00000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.274443364.0000000003F09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 3156 Parent PID: 528

                                        General

                                        Start time:06:13:18
                                        Start date:03/05/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                        Imagebase:0xc00000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.274520141.0000000004059000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Antivirus matches:
                                        • Detection: 23%, ReversingLabs
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 6124 Parent PID: 3388

                                        General

                                        Start time:06:13:24
                                        Start date:03/05/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                        Imagebase:0xd70000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.295474134.0000000004129000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: cd61fe0ebfe9f6326cd5a4df9747e72c.exe PID: 2224 Parent PID: 5932

                                        General

                                        Start time:06:13:25
                                        Start date:03/05/2021
                                        Path:C:\Users\user\Desktop\cd61fe0ebfe9f6326cd5a4df9747e72c.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x590000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.292598003.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.284508167.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.292765353.0000000002A59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.293253440.0000000003A29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 5844 Parent PID: 3156

                                        General

                                        Start time:06:13:25
                                        Start date:03/05/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0x70000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 5064 Parent PID: 3156

                                        General

                                        Start time:06:13:26
                                        Start date:03/05/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xdb0000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.290898353.00000000031D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.289163047.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.291112478.00000000041D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 3468 Parent PID: 6124

                                        General

                                        Start time:06:13:32
                                        Start date:03/05/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x9e0000
                                        File size:817664 bytes
                                        MD5 hash:CAFE59D79E00E211548D5E569931E70E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.305109543.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.306683734.0000000003F89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.306608313.0000000002F81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Disassembly

                                        Code Analysis

                                        Reset < >