Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT-PO#45678.exe

Overview

General Information

Sample Name:PAYMENT-PO#45678.exe
Analysis ID:433324
MD5:438425f009b373154e4e3629c3539581
SHA1:5f686134a72fe1260d504dedc88d8500c4f0c1f6
SHA256:b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PAYMENT-PO#45678.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\PAYMENT-PO#45678.exe' MD5: 438425F009B373154E4E3629C3539581)
    • PAYMENT-PO#45678.exe (PID: 6688 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe MD5: 438425F009B373154E4E3629C3539581)
    • PAYMENT-PO#45678.exe (PID: 6736 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe MD5: 438425F009B373154E4E3629C3539581)
      • schtasks.exe (PID: 6788 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6844 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PAYMENT-PO#45678.exe (PID: 6920 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe 0 MD5: 438425F009B373154E4E3629C3539581)
    • PAYMENT-PO#45678.exe (PID: 7020 cmdline: C:\Users\user\Desktop\PAYMENT-PO#45678.exe MD5: 438425F009B373154E4E3629C3539581)
  • dhcpmon.exe (PID: 6968 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 438425F009B373154E4E3629C3539581)
    • dhcpmon.exe (PID: 7040 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 438425F009B373154E4E3629C3539581)
  • dhcpmon.exe (PID: 4952 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 438425F009B373154E4E3629C3539581)
    • dhcpmon.exe (PID: 6340 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 438425F009B373154E4E3629C3539581)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fa01d1ff-8193-42b2-a0e1-b0e6c90b", "Group": "PO-#9874567", "Domain1": "doc-file.ddns.net", "Domain2": "127.0.0.1", "Port": 7755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x9c12d:$x1: NanoCore.ClientPluginHost
    • 0x9c16a:$x2: IClientNetworkHost
    • 0x9fc9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 108 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        13.2.dhcpmon.exe.2c9cd34.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        Click to see the 223 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT-PO#45678.exe, ProcessId: 6736, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fa01d1ff-8193-42b2-a0e1-b0e6c90b", "Group": "PO-#9874567", "Domain1": "doc-file.ddns.net", "Domain2": "127.0.0.1", "Port": 7755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
        Multi AV Scanner detection for submitted fileShow sources
        Source: PAYMENT-PO#45678.exeReversingLabs: Detection: 41%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: PAYMENT-PO#45678.exeJoe Sandbox ML: detected
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.0.dhcpmon.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 13.0.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: 11.0.dhcpmon.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: PAYMENT-PO#45678.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: PAYMENT-PO#45678.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: PAYMENT-PO#45678.exe, 00000000.00000002.206021714.0000000003271000.00000004.00000001.sdmp, PAYMENT-PO#45678.exe, 00000008.00000002.222478275.0000000002AA1000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.231089232.0000000005700000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.245812912.0000000004C20000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: doc-file.ddns.net
        Source: Malware configuration extractorURLs: 127.0.0.1
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: doc-file.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49718 -> 194.5.97.7:7755
        Source: Joe Sandbox ViewIP Address: 194.5.97.7 194.5.97.7
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: unknownDNS traffic detected: queries for: doc-file.ddns.net
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.205351135.0000000001670000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.256103684.0000000002CA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.2c9cd34.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.33995b4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.2a19658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.5440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.2e330f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.2cd9658.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        .NET source code contains very large stringsShow sources
        Source: PAYMENT-PO#45678.exe, SpanFill2d.csLong String: Length: 601976
        Source: 0.2.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 0.0.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 1.2.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 1.0.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: dhcpmon.exe.3.dr, SpanFill2d.csLong String: Length: 601976
        Source: 3.2.PAYMENT-PO#45678.exe.7d0000.1.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.2.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.4.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 8.2.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Source: 8.0.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csLong String: Length: 601976
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014BD520
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B64C8
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B64BB
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B6758
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 0_2_014B49A0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_010CE471
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_010CE480
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_010CBBD4
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B6550
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B3E30
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BC6F0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BD308
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B4A50
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BD640
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B4B08
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BD3C6
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_06710040
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FFD520
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF64C8
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF64BB
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF6758
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 8_2_00FF49A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015ED520
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E64C8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E64BB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E6758
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_015E49A0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 10_2_032AE471
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 10_2_032AE480
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 10_2_032ABBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0105E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0105E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0105BBD4
        Source: PAYMENT-PO#45678.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.204601830.0000000000E6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.206021714.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.209367905.00000000057A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.205351135.0000000001670000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.209265990.0000000005700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWallpaperChanger.dllB vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000001.00000002.201879123.000000000019E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000000.203046703.00000000008FE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.472895693.0000000005280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473431312.00000000061A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467181725.00000000010DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.227792273.0000000004E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWallpaperChanger.dllB vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.221497733.000000000069E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.222478275.0000000002AA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000000.220823699.0000000000F0E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240079437.000000000159A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.242207166.00000000058D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exeBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#45678.exe
        Source: PAYMENT-PO#45678.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.256103684.0000000002CA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.2c9cd34.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.2c9cd34.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.PAYMENT-PO#45678.exe.33995b4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.33995b4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.3294584.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.3285750.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.32845cc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.2a19658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.2a19658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.27045b8.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.2ac4598.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.3275798.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.PAYMENT-PO#45678.exe.5440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5440000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.2e330f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.2e330f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.2cd9658.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.2cd9658.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.2aa602c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.3276018.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.PAYMENT-PO#45678.exe.2ab5764.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.26f5784.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.3266060.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.26e604c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: PAYMENT-PO#45678.exe, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 0.2.PAYMENT-PO#45678.exe.d40000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 0.0.PAYMENT-PO#45678.exe.d40000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 1.2.PAYMENT-PO#45678.exe.70000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 1.0.PAYMENT-PO#45678.exe.70000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: dhcpmon.exe.3.dr, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: PAYMENT-PO#45678.exe, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 0.2.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 0.0.PAYMENT-PO#45678.exe.d40000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 1.2.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 1.0.PAYMENT-PO#45678.exe.70000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: dhcpmon.exe.3.dr, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.2.PAYMENT-PO#45678.exe.7d0000.1.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.2.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.0.PAYMENT-PO#45678.exe.7d0000.4.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 8.2.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 8.0.PAYMENT-PO#45678.exe.570000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFGkVXsiNQv6G8m8VqbhRC7J9HWzoQd+5tz4P6+P/QLswpT2FVexhLnDnjiRHCDmlARERMLw0ZAt4F9k1R48rJ8lnTKriiTZ+vzG46kd4xK0FBeB68pViLRN0iyhq5sC9JoCpdJSGZzsJOhPZShZWpyVHFpzQWILOZRw3Gr9c/oTW0ZDATsI0dljkOjt+GPx5Y2OGJsrjcNsj82BqsmQxknWtL7n1qKJhAboJFGoXY/HuwspGZloKdSbHk4zGj/Os7MfIGihgSgt/BB3Cp3Wra9iqzjKiY0TDfMi2NAfpN3d4PBzonkEhv1fN53pPR58m+BF1canSPgJKHgv4uCcRM5cAdHNjlMQCQ1AhpgPP07hriLeyq1Hxpl3crw29oNLHbmEYjwyFo4RKMYL7hLjpxOS42SffVVme18GxK74ZrFwj7fMIqZjmpBh+GH+EGoPf7KOBOULWLDtTonRtHmLQmcK5BR3AS4eniXhpaGQVkZAP2BanePqkqfjChfkWa50PnR0zTwJbVB8uXp24lbgg3Glubj4j8JXBU6SyZqAqrSpZUKthxaJ8yhNiT6VMniOTbO0kGqtsusJxWYN9D9k/evBJLqPQk1IA3A1G5nQqex5pdv55enGeywIY+slN5QGskDKsz4GEkncRCJ0dsdBf2Lg0YzZz+j4IXHMR65dUIUtXrwXD5jkDyyY9A/y6oCl8/syT48aQned3et7HYBcCZoJrEDNiK5ZuUEMZ1bECFxXGUBFDQ/JAxet+qd4Xk89cf1YY9hPCmjijljMoGaZySlsTAVoVeMxhJ0yHZQv0MTbZlxQs1Igt7yRmLxRnUP/zuRIoGOArlIBtGDQlBhKG/7DdPZODdcRx/MaKknohsYvT0WbZZzya4tavRJ39ox+p8C3KTP8jfJEEtwMnNgS+mpYBoBYrUBYXlF6DwWmjlhUhA3wpPT6XnOr1PtK4DSm9T8GiA5MgGM6I/TWVXTQBqMggMeqBFVwslpWHoxk0T37GQqqBsWFWHntx1Gh+q/HbHXjyaVeZLrGOMGTRuo9F585GcOGoemNGeylyFXlvFVWnDvJYTNdzeM4eok1IJRS/s/CNsOl5fhZjYeJqlf24kKg+b1yRdP0YNESG7pILLiIa34osEQ2ZhxIgHjGl+wYDeCfIEuKYoON24zLzQpYjYyeakSWpGfkx2aYMhwPl9zu7HG8aqIXeuWS6oFGyUAXimMh7SAfmhTZdCJVfz5K+iJcfeKh0u2yhUm+Ih66dFGQ2AKfrRgUsnbcURX+ylwHIAQM17zvsVu50vmhn5OYnZCo/Hv81W23armXzlQquv1zm7gbjzgk2JM4jkERnMinAVQ0eV9V10l5diGhVxP8I4t6kA6jfsY3rTju/oJxLCNs6qefQ1zVvI/xqFtpuVhXuqw0pI4liAeXEgq1LBRLoLtC6XV38oSo8SHV+gUWpYde4FddUqA6ww9y8cpe6Oyg58jcbLd0QOJGpmFieGtZJoluAGMA+atiZWyNk7OuVZ61h6d62oL9V9mWPXyMSdi8SYYkP5gQhhV8gXP4sfXxBffl5nWLKxOu02UL2jxsWJStMIAxCDNuLySV92pzmNlaZhvb5qeP6JMCtFIBPx+fBqFbwgYACDB4RTtR9O0qgvMdzLMUs6wUL5lq0HxyraevZj9vaeGShCuC2U+NnYjUfmicYNZdgfI4sAgZFuO4UasZy/eSAEaeJtxu9tc1/zmCzN9ToIMqM/0V7wDSuok6ywXiM/WsnjTYOsRLUNlFZNle+9dRMqRpYeOsfPMyAGy8NQv6FxHeO0E0DwyPVgf3dallMGo1Y9gnse1mGvKjqu9NIKq3ES3vGH/xV89NKwY5846WpOSdf7V2qIhRRJV0aV7e7LqXPEM1x/ASWKBCpUodVtuxV1YH8Ob+fImciFPxb0djy+ZRIrNlpubQRSD+bZCkd3ya2qpSpFDQ7Gp2Wq9b/iSIe03QECnqp3z/cvDKCMkQpKYGaBHLKteh/Xcv+HRsdk+I1wU5d7AbuRxrrfk+K8rK3cGkn1qpHMHaSk5qIliMlYemvEY8nCzUj7Jb0Nx9+JZCgLYmZ9oEVju+Tae+GnVjxPLfkyuyOz/W7bryT+IuwOkOFfHY2wME4SdfAQOgxv2uqV5fGJGkMj+tJNnxcg3mkrJp0DQUvOi5nnGjOlzo6ezK/G2CdDX4WS55pFRgsmkYOKffQTzuby04vt9dpe7BbgAP1EcifH8akg18F9Dd2fGfUSV3JOvqqt8OW2tOMlVdbDMu30qp+vjnm/IaMui3QxdvOQtBXMzNu22Ng8iTpIhcTAYVO0WXDSFwh1+QhRv01rL2AMcFo3Ezs5Pz8pEt0YtkvpaZpKRjLCIBW3XhuKAvhKl2RL5SmYnN0wlpSSG5EzLj7Mqvv2WjsCeO0Aupu3htsiaKWItUK3RyT6McveMtVD+1pf0r53pY1ZZ6SBQoCR0lf636FurpjZ9Zf4+pkwFZQ9O+HajCXaSDWhTxDt+fXWl1+sehEX+1RxLVif4q2uO+v3SAJTpgHUzRisJ1B6ce73pso/5/EaIP/jqxPXjuAp1ku5L4NLVWcYhindAllhtIA32wxTdiAWzNw+yWyxqmpaSENX4aFpdehpNjGyYuhoblDjM5l+o1sXOVLOzww4Ctgh6BhmvXcA1Yke9dVP4Wvw2WsrSbl2FNQa4kWSlO+leqgvFUA3ZLVBfL0HC/D6jsn21SEcI/IUVG5MCUMubDyOVIGXpTnLJh6lcNnX76GZRcqIipD7wImMVTdiHaZbT0Hstmd4nr75l41ruPymUX2e8YzbUitCfJoRKDdfQiv+L2lUyhBynENgPq4KqsjDvztIUjJf6F2PaTrr+Wjejz+NF8frsH0Haor5fS8jzujvqDenIW6ioQDf4wb5/c21SyOocubuXWWfKne5d5s5MFOl7bLhf+qavtNnQ7KkXz9PWdeE1
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@20/8@12/3
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT-PO#45678.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fa01d1ff-8193-42b2-a0e1-b0e6c90b42b3}
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8E26.tmpJump to behavior
        Source: PAYMENT-PO#45678.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: PAYMENT-PO#45678.exeReversingLabs: Detection: 41%
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile read: C:\Users\user\Desktop\PAYMENT-PO#45678.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe 'C:\Users\user\Desktop\PAYMENT-PO#45678.exe'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: PAYMENT-PO#45678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: PAYMENT-PO#45678.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: PAYMENT-PO#45678.exeStatic file information: File size 1438208 > 1048576
        Source: PAYMENT-PO#45678.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ae00
        Source: PAYMENT-PO#45678.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: PAYMENT-PO#45678.exe, 00000000.00000002.206021714.0000000003271000.00000004.00000001.sdmp, PAYMENT-PO#45678.exe, 00000008.00000002.222478275.0000000002AA1000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.231089232.0000000005700000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.245812912.0000000004C20000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB720 push 8BB84589h; retf
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB769 push 8BB44589h; retf
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB7A8 push 8BB04589h; retf
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB7E2 push 0000002Fh; retf
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB691 push 8BC04589h; retf
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052BB6D8 push 8BBC4589h; retf
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B9A7B push ecx; retf
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeCode function: 3_2_052B9AE1 push esp; retf
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeFile opened: C:\Users\user\Desktop\PAYMENT-PO#45678.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeWindow / User API: threadDelayed 6296
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeWindow / User API: threadDelayed 2938
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeWindow / User API: foregroundWindowGot 921
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 6644Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 6912Thread sleep time: -6456360425798339s >= -30000s
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 6980Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exe TID: 7068Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7084Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1304Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1932Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exeBinary or memory string: qFnHAHSx0rXjXNN3jJRtKvMCIXpz62HOGEq9bH0EfOXq8ybdT3P+dA4nnKt8FCOEwo5NTPKVjyB+2HkgL5mXA+YmWuc9k5jhRECR4bdftEOKqoKDThhnSzTmwtFRCh7Trh
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467335475.0000000001102000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473829034.0000000006D60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMemory written: C:\Users\user\Desktop\PAYMENT-PO#45678.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeMemory written: C:\Users\user\Desktop\PAYMENT-PO#45678.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeProcess created: C:\Users\user\Desktop\PAYMENT-PO#45678.exe C:\Users\user\Desktop\PAYMENT-PO#45678.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473806728.0000000006C1D000.00000004.00000001.sdmpBinary or memory string: Program ManagerH
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.468606930.0000000002F33000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467637340.0000000001660000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467637340.0000000001660000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473415873.000000000619B000.00000004.00000001.sdmpBinary or memory string: Program ManagerHT
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473645693.000000000660D000.00000004.00000001.sdmpBinary or memory string: Program ManagerH4
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.473770625.0000000006ADE000.00000004.00000001.sdmpBinary or memory string: Program ManagerHt
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.467637340.0000000001660000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#45678.exe VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#45678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PAYMENT-PO#45678.exe, 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: PAYMENT-PO#45678.exe, 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT-PO#45678.exe, 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6968, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6920, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6736, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 7020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#45678.exe PID: 6600, type: MEMORY
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3df4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.39fb7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.46e1fa0.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4380624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a60510.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e50624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3f11fa0.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.PAYMENT-PO#45678.exe.3e147a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a004d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3a204f0.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e54c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45c4788.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.46d1fa0.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.PAYMENT-PO#45678.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45d47a8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cc0624.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.45b4788.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.437b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5544629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.3a00624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.5540000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#45678.exe.45e47a8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT-PO#45678.exe.4384c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.PAYMENT-PO#45678.exe.3e4b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3cbb7ee.4.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Security Software Discovery11Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 433324 Sample: PAYMENT-PO#45678.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 11 other signatures 2->61 8 PAYMENT-PO#45678.exe 3 2->8         started        12 dhcpmon.exe 3 2->12         started        14 PAYMENT-PO#45678.exe 2 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 47 C:\Users\user\...\PAYMENT-PO#45678.exe.log, ASCII 8->47 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 8->65 67 Injects a PE file into a foreign processes 8->67 18 PAYMENT-PO#45678.exe 1 12 8->18         started        23 PAYMENT-PO#45678.exe 8->23         started        25 dhcpmon.exe 12->25         started        27 PAYMENT-PO#45678.exe 14->27         started        29 dhcpmon.exe 16->29         started        signatures5 process6 dnsIp7 49 doc-file.ddns.net 194.5.97.7, 49718, 49724, 49725 DANILENKODE Netherlands 18->49 51 127.0.0.1 unknown unknown 18->51 53 192.168.2.1 unknown unknown 18->53 39 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp8E26.tmp, XML 18->43 dropped 45 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->45 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->63 31 schtasks.exe 1 18->31         started        33 schtasks.exe 1 18->33         started        file8 signatures9 process10 process11 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PAYMENT-PO#45678.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        PAYMENT-PO#45678.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        10.0.PAYMENT-PO#45678.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.0.dhcpmon.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        13.0.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.2.PAYMENT-PO#45678.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.PAYMENT-PO#45678.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.0.PAYMENT-PO#45678.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.PAYMENT-PO#45678.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.PAYMENT-PO#45678.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.PAYMENT-PO#45678.exe.5540000.10.unpack100%AviraTR/NanoCore.fadteDownload File
        11.0.dhcpmon.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        doc-file.ddns.net3%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        doc-file.ddns.net3%VirustotalBrowse
        doc-file.ddns.net0%Avira URL Cloudsafe
        127.0.0.10%VirustotalBrowse
        127.0.0.10%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        doc-file.ddns.net
        		194.5.97.7
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        doc-file.ddns.nettrue
        • 3%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        127.0.0.1true
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        194.5.97.7
        		doc-file.ddns.netNetherlands
        		208476DANILENKODEtrue

        Private

        IP
        192.168.2.1
        127.0.0.1

        General Information

        Joe Sandbox Version:32.0.0 Black Diamond
        Analysis ID:433324
        Start date:11.06.2021
        Start time:16:32:21
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 13m 35s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:PAYMENT-PO#45678.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:36
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@20/8@12/3
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 0.4% (good quality ratio 0.3%)
        • Quality average: 56.5%
        • Quality standard deviation: 32.5%
        HCA Information:
        • Successful, ratio: 98%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.88.21.125, 13.64.90.137, 20.50.102.62, 23.218.208.56, 205.185.216.10, 205.185.216.42, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247
        • Excluded domains from analysis (whitelisted): fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size exceeded maximum capacity and may have missing behavior information.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        16:33:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\PAYMENT-PO#45678.exe" s>$(Arg0)
        16:33:14API Interceptor1032x Sleep call for process: PAYMENT-PO#45678.exe modified
        16:33:14AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        16:33:15Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        194.5.97.7PAYMENT-PO#987654567.exeGet hashmaliciousBrowse
          8RJwUlmBjb.exeGet hashmaliciousBrowse
            B882ITuiXnqLLeM.exeGet hashmaliciousBrowse
              Doc_43795379326436.PDF.exeGet hashmaliciousBrowse
                aqa4dSbdFYw5DlK.exeGet hashmaliciousBrowse
                  IITuGuCnGifznoN.exeGet hashmaliciousBrowse
                    IITuGuCnGifznoN.exeGet hashmaliciousBrowse
                      RAHIM TRADING CO. FOR IMP.exeGet hashmaliciousBrowse
                        RAHIM TRADING CO. FOR IMP. & EXP.exeGet hashmaliciousBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          doc-file.ddns.netPAYMENT-PO#987654567.exeGet hashmaliciousBrowse
                          • 194.5.97.7

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          DANILENKODEPAYMENT-PO#987654567.exeGet hashmaliciousBrowse
                          • 194.5.97.7
                          OUTSTANDING INVOICE.pdf.exeGet hashmaliciousBrowse
                          • 194.5.98.28
                          Request Letter for Courtesy Call.xlsxGet hashmaliciousBrowse
                          • 194.5.97.61
                          SecuriteInfo.com.Heur.23766.xlsGet hashmaliciousBrowse
                          • 194.5.97.241
                          SwiftCopy.pdf.exeGet hashmaliciousBrowse
                          • 194.5.98.31
                          wlCqbMRJ7p.exeGet hashmaliciousBrowse
                          • 194.5.98.5
                          SecuriteInfo.com.Trojan.PackedNET.832.3222.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          SecuriteInfo.com.Trojan.PackedNET.831.12541.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          0Cg1YYs1sv.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          Duplicated Orders.xlsxGet hashmaliciousBrowse
                          • 194.5.98.144
                          DEPOSITAR.xlsxGet hashmaliciousBrowse
                          • 194.5.98.144
                          InvoicePOzGlybgcIc1vHasG.exeGet hashmaliciousBrowse
                          • 194.5.98.87
                          POInvoiceOrderIuVvcl0VWEOAmXy.exeGet hashmaliciousBrowse
                          • 194.5.98.87
                          payment invoice.exeGet hashmaliciousBrowse
                          • 194.5.98.23
                          #RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                          • 194.5.98.120
                          b6yzWugw8V.exeGet hashmaliciousBrowse
                          • 194.5.98.107
                          0041#Receipt.pif.exeGet hashmaliciousBrowse
                          • 194.5.98.180
                          j07ghiByDq.exeGet hashmaliciousBrowse
                          • 194.5.97.146
                          j07ghiByDq.exeGet hashmaliciousBrowse
                          • 194.5.97.146
                          PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                          • 194.5.97.18

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):1438208
                          Entropy (8bit):4.79869790235378
                          Encrypted:false
                          SSDEEP:12288:P6r9q+1i2mc3KEPdu4icYU/d+9x9/QV2HM5Jd+Zk3tsvON4Z1zOpz/YsQQyOTyMb:kKUw7Y1GOkqy0HPmH9pPQ4w5Q440X
                          MD5:438425F009B373154E4E3629C3539581
                          SHA1:5F686134A72FE1260D504DEDC88D8500C4F0C1F6
                          SHA-256:B2262126A955E306DC68487333394DC08C4FBD708A19AFEB531F58916DDB1CFD
                          SHA-512:7AE88A722C03871CF121708B026AE80D9A1B52AF52F6C42D908E4921B426C057C98ABFC0BB8AEEDBF761F9D709F80E9E0C5B96166A0A0B815DFC8DC376AD04AA
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 41%
                          Reputation:low
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0......B......^.... ........@.. .......................@............@.....................................K.......4>................... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...4>.......@..................@..@.reloc....... ......................@..B................@.......H.......PK..........%...................................................B...}......}....*6.~8...(....&*z.(........}......}......}....*B...}......}....*..(........}......}......}......}.......Z.s....}....*z.(........}......}......} ...*..*R.(!......s"...}#...*R.(!......s'...}(...*>..} ....(.....*N.sA...}!....(!....*".(.....*".(.....*>..}#....(.....*N.sA...}'....(.....*>..}9....(.....*.r#..pr.a.p('...(K...(.....7...~M...~7...oR...oS......8...*N.sA...}=....(8....*>..}N....(.....
                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT-PO#45678.exe.log
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):706
                          Entropy (8bit):5.342604339328228
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCq1KDLI4Mq92n4M9XKbbDLI4MWuPJKiUrRZT:ML9E4Ks29E4Kx1qE4x84qXKDE4KhK3Vt
                          MD5:9C1DF7CA80077C63698DCFE531754F1F
                          SHA1:44E2DE975BF1364781A2E5EDE576D1FBCD948097
                          SHA-256:78D4E6F15372E7DFE7C9D5C10BB515995A20AFAEF839C56E750CC336620BCFAB
                          SHA-512:7078AFFB531F2AA5C813FB259C113CB1A02C992F76C47AAE036B8591C65EB4A2037B3BDAD83BBD4D30FA7D2CE244D9943C18EA8AA668FEBCD52B864E7476F84D
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):706
                          Entropy (8bit):5.342604339328228
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCq1KDLI4Mq92n4M9XKbbDLI4MWuPJKiUrRZT:ML9E4Ks29E4Kx1qE4x84qXKDE4KhK3Vt
                          MD5:9C1DF7CA80077C63698DCFE531754F1F
                          SHA1:44E2DE975BF1364781A2E5EDE576D1FBCD948097
                          SHA-256:78D4E6F15372E7DFE7C9D5C10BB515995A20AFAEF839C56E750CC336620BCFAB
                          SHA-512:7078AFFB531F2AA5C813FB259C113CB1A02C992F76C47AAE036B8591C65EB4A2037B3BDAD83BBD4D30FA7D2CE244D9943C18EA8AA668FEBCD52B864E7476F84D
                          Malicious:false
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                          C:\Users\user\AppData\Local\Temp\tmp8E26.tmp
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1306
                          Entropy (8bit):5.143952376983823
                          Encrypted:false
                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0/++xtn:cbk4oL600QydbQxIYODOLedq38Jj
                          MD5:94EFA8AB0C786B66F62E9642A5B73D6D
                          SHA1:3A8DB2E96347BCCBA05C6D471F0DB0A7A5C6D7BA
                          SHA-256:2D6FC2F00387E055DD8D8F5D2CAD7116677E42DE42BF1970FEA67B5F975332F9
                          SHA-512:B09DA0146DEB021868FA502CC6B728A6491147291FC5433AC2FE89B38A63DC7BCC1F438AD65632BEDBBF6DA8F12FBC5E1DD4359B06DCDF6FDD893FB4580C9AF2
                          Malicious:true
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                          C:\Users\user\AppData\Local\Temp\tmp91A2.tmp
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1310
                          Entropy (8bit):5.109425792877704
                          Encrypted:false
                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                          Malicious:false
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:Non-ISO extended-ASCII text, with CR line terminators
                          Category:dropped
                          Size (bytes):8
                          Entropy (8bit):3.0
                          Encrypted:false
                          SSDEEP:3:Pm:e
                          MD5:0530B3218D0B896C1CD54343E50992B7
                          SHA1:F9968CF5EC56B274F84643B360F66D3090F50DC8
                          SHA-256:508C10049BB3DA3167A31B1A2C3A73B1686C145644070DB8A781D4CDE5C908C8
                          SHA-512:744856560943FDCBE62881D2A55154DAD8CCDD2FC4D34CC89C9C5B8E25E4A60F20041E9C5BB200DC422B2273BC3979D39DC9A36676E5111B69CA4C5B299EF8B7
                          Malicious:true
                          Preview: ...G1-.H
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                          Process:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):43
                          Entropy (8bit):4.85056969651225
                          Encrypted:false
                          SSDEEP:3:oNWXp5v1k+UdLAC:oNWXpFu+E0C
                          MD5:FF0FB06F43AF0FC6F1463829F4A9482D
                          SHA1:FA01AEC81BF55A5500363CF03FEB31206E1BAE12
                          SHA-256:9AD4AEE3F7C04F11069D41167CFB9803790DC0E521560C57306DB97227A8C882
                          SHA-512:D35314F2E04306256E30C5CB555C51B5D7B66EA0951511D87F469DBC462C607FCAA3191A52E60765CC086F276FF78ABFF9FFF4125C4D70ACA6A4E5BD48D83F7C
                          Malicious:false
                          Preview: C:\Users\user\Desktop\PAYMENT-PO#45678.exe

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):4.79869790235378
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:PAYMENT-PO#45678.exe
                          File size:1438208
                          MD5:438425f009b373154e4e3629c3539581
                          SHA1:5f686134a72fe1260d504dedc88d8500c4f0c1f6
                          SHA256:b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd
                          SHA512:7ae88a722c03871cf121708b026ae80d9a1b52af52f6c42d908e4921b426c057c98abfc0bb8aeedbf761f9d709f80e9e0c5b96166a0a0b815dfc8dc376ad04aa
                          SSDEEP:12288:P6r9q+1i2mc3KEPdu4icYU/d+9x9/QV2HM5Jd+Zk3tsvON4Z1zOpz/YsQQyOTyMb:kKUw7Y1GOkqy0HPmH9pPQ4w5Q440X
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0......B......^.... ........@.. .......................@............@................................

                          File Icon

                          Icon Hash:81c0c1a14931c4c8

                          Static PE Info

                          General

                          Entrypoint:0x52cd5e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x60B71CB7 [Wed Jun 2 05:52:55 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x12cd100x4b.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x12e0000x33e34.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1620000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x12ad640x12ae00False0.478605480186data4.07686637612IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x12e0000x33e340x34000False0.437903771034data5.71331335745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1620000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x12e2b00x468GLS_BINARY_LSB_FIRST
                          RT_ICON0x12e7180x988data
                          RT_ICON0x12f0a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4293191654, next used block 4293257190
                          RT_ICON0x1301480x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4292927968, next used block 4292927968
                          RT_ICON0x1326f00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4292533467, next used block 4292665053
                          RT_ICON0x1369180x5488data
                          RT_ICON0x13bda00x94a8data
                          RT_ICON0x1452480x10828dBase III DBT, version number 0, next free block index 40
                          RT_ICON0x155a700xbe16PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_GROUP_ICON0x1618880x84data
                          RT_VERSION0x16190c0x33cdata
                          RT_MANIFEST0x161c480x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright 2013
                          Assembly Version1.0.0.0
                          InternalNameSeededGrow2d.exe
                          FileVersion1.0.0.0
                          CompanyName
                          LegalTrademarks
                          Comments
                          ProductNameSeededGrow2d
                          ProductVersion1.0.0.0
                          FileDescriptionSeededGrow2d
                          OriginalFilenameSeededGrow2d.exe

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 11, 2021 16:33:15.797086954 CEST497187755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:15.852803946 CEST775549718194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:16.361876011 CEST497187755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:16.418101072 CEST775549718194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:16.924458981 CEST497187755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:16.980441093 CEST775549718194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:21.558995962 CEST497247755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:21.617063046 CEST775549724194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:22.127948046 CEST497247755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:22.183934927 CEST775549724194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:22.690552950 CEST497247755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:22.746400118 CEST775549724194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:27.525605917 CEST497257755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:27.581844091 CEST775549725194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:28.222318888 CEST497257755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:28.278564930 CEST775549725194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:28.926484108 CEST497257755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:28.982737064 CEST775549725194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:48.677469969 CEST497357755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:48.733251095 CEST775549735194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:49.288755894 CEST497357755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:49.344686985 CEST775549735194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:49.895941973 CEST497357755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:49.951818943 CEST775549735194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:54.497811079 CEST497367755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:54.554167032 CEST775549736194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:55.099503994 CEST497367755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:55.155553102 CEST775549736194.5.97.7192.168.2.3
                          Jun 11, 2021 16:33:55.787070036 CEST497367755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:33:55.843167067 CEST775549736194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:00.153357029 CEST497427755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:00.208950996 CEST775549742194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:00.787547112 CEST497427755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:00.843358040 CEST775549742194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:01.493870974 CEST497427755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:01.549716949 CEST775549742194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:21.590092897 CEST497587755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:21.646116972 CEST775549758194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:22.148734093 CEST497587755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:22.204873085 CEST775549758194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:22.711643934 CEST497587755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:22.768697023 CEST775549758194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:27.150758028 CEST497597755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:27.206760883 CEST775549759194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:27.711709023 CEST497597755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:27.768058062 CEST775549759194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:28.274146080 CEST497597755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:28.330152035 CEST775549759194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:32.702606916 CEST497607755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:32.758666992 CEST775549760194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:33.259124041 CEST497607755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:33.315072060 CEST775549760194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:33.821513891 CEST497607755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:33.877594948 CEST775549760194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:53.437741995 CEST497667755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:53.493501902 CEST775549766194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:53.995301962 CEST497667755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:54.051301003 CEST775549766194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:54.558037043 CEST497667755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:54.613758087 CEST775549766194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:59.084399939 CEST497677755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:59.140419960 CEST775549767194.5.97.7192.168.2.3
                          Jun 11, 2021 16:34:59.651859045 CEST497677755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:34:59.708055019 CEST775549767194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:00.214359045 CEST497677755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:00.270529032 CEST775549767194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:04.560087919 CEST497687755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:04.615951061 CEST775549768194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:05.121187925 CEST497687755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:05.177164078 CEST775549768194.5.97.7192.168.2.3
                          Jun 11, 2021 16:35:05.680794001 CEST497687755192.168.2.3194.5.97.7
                          Jun 11, 2021 16:35:05.736741066 CEST775549768194.5.97.7192.168.2.3

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jun 11, 2021 16:33:01.254101038 CEST6015253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:01.307056904 CEST53601528.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:02.201574087 CEST5754453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:02.251691103 CEST53575448.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:03.346606970 CEST5598453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:03.396533012 CEST53559848.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:04.594057083 CEST6418553192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:04.644469976 CEST53641858.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:05.617245913 CEST6511053192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:05.670327902 CEST53651108.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:06.785485983 CEST5836153192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:06.835488081 CEST53583618.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:07.729670048 CEST6349253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:07.782910109 CEST53634928.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:08.651067019 CEST6083153192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:08.712455034 CEST53608318.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:10.025197029 CEST6010053192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:10.095108986 CEST53601008.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:11.416500092 CEST5319553192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:11.466742992 CEST53531958.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:12.635191917 CEST5014153192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:12.694072962 CEST53501418.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:13.810265064 CEST5302353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:13.870122910 CEST53530238.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:14.754426956 CEST4956353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:14.805520058 CEST53495638.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:15.727742910 CEST5135253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:15.787997961 CEST53513528.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:16.259160995 CEST5934953192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:16.309837103 CEST53593498.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:17.533802986 CEST5708453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:17.583973885 CEST53570848.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:18.654934883 CEST5882353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:18.705332994 CEST53588238.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:19.829382896 CEST5756853192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:19.879513979 CEST53575688.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:20.957453012 CEST5054053192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:21.028279066 CEST53505408.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:21.495158911 CEST5436653192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:21.557796955 CEST53543668.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:27.433357000 CEST5303453192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:27.495415926 CEST53530348.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:34.349606991 CEST5776253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:34.409800053 CEST53577628.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:38.989926100 CEST5543553192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:39.061187029 CEST53554358.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:48.615082979 CEST5071353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:48.675201893 CEST53507138.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:54.439280987 CEST5613253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:54.489789009 CEST53561328.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:56.195933104 CEST5898753192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:56.249085903 CEST53589878.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:56.491764069 CEST5657953192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:56.550697088 CEST53565798.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:57.361665964 CEST6063353192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:57.420702934 CEST53606338.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:58.530778885 CEST6129253192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:58.589601040 CEST53612928.8.8.8192.168.2.3
                          Jun 11, 2021 16:33:59.721265078 CEST6361953192.168.2.38.8.8.8
                          Jun 11, 2021 16:33:59.782474995 CEST53636198.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:00.090440035 CEST6493853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:00.152301073 CEST53649388.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:00.409403086 CEST6194653192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:00.468297958 CEST53619468.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:01.340096951 CEST6491053192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:01.401999950 CEST53649108.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:01.682673931 CEST5212353192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:01.744755030 CEST53521238.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:02.186842918 CEST5613053192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:02.237325907 CEST53561308.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:03.317862034 CEST5633853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:03.376386881 CEST53563388.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:04.435774088 CEST5942053192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:04.495269060 CEST53594208.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:05.083693027 CEST5878453192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:05.142430067 CEST53587848.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:20.514705896 CEST6397853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:20.576379061 CEST53639788.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:21.528187990 CEST6293853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:21.588874102 CEST53629388.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:27.071742058 CEST5570853192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:27.132956982 CEST53557088.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:32.623429060 CEST5680353192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:32.683567047 CEST53568038.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:46.342251062 CEST5714553192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:46.412183046 CEST53571458.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:47.990700006 CEST5535953192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:48.049592972 CEST53553598.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:53.377564907 CEST5830653192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:53.436162949 CEST53583068.8.8.8192.168.2.3
                          Jun 11, 2021 16:34:59.023550987 CEST6412453192.168.2.38.8.8.8
                          Jun 11, 2021 16:34:59.081986904 CEST53641248.8.8.8192.168.2.3
                          Jun 11, 2021 16:35:04.499183893 CEST4936153192.168.2.38.8.8.8
                          Jun 11, 2021 16:35:04.557481050 CEST53493618.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Jun 11, 2021 16:33:15.727742910 CEST192.168.2.38.8.8.80xc76eStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:21.495158911 CEST192.168.2.38.8.8.80x78d4Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:27.433357000 CEST192.168.2.38.8.8.80x9ebbStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:48.615082979 CEST192.168.2.38.8.8.80x50a9Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:54.439280987 CEST192.168.2.38.8.8.80x69f1Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:00.090440035 CEST192.168.2.38.8.8.80xb694Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:21.528187990 CEST192.168.2.38.8.8.80x7e8eStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:27.071742058 CEST192.168.2.38.8.8.80xbbf5Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:32.623429060 CEST192.168.2.38.8.8.80x5029Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:53.377564907 CEST192.168.2.38.8.8.80xac17Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:59.023550987 CEST192.168.2.38.8.8.80xae58Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                          Jun 11, 2021 16:35:04.499183893 CEST192.168.2.38.8.8.80xc692Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Jun 11, 2021 16:33:15.787997961 CEST8.8.8.8192.168.2.30xc76eNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:21.557796955 CEST8.8.8.8192.168.2.30x78d4No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:27.495415926 CEST8.8.8.8192.168.2.30x9ebbNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:48.675201893 CEST8.8.8.8192.168.2.30x50a9No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:33:54.489789009 CEST8.8.8.8192.168.2.30x69f1No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:00.152301073 CEST8.8.8.8192.168.2.30xb694No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:21.588874102 CEST8.8.8.8192.168.2.30x7e8eNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:27.132956982 CEST8.8.8.8192.168.2.30xbbf5No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:32.683567047 CEST8.8.8.8192.168.2.30x5029No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:53.436162949 CEST8.8.8.8192.168.2.30xac17No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:34:59.081986904 CEST8.8.8.8192.168.2.30xae58No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                          Jun 11, 2021 16:35:04.557481050 CEST8.8.8.8192.168.2.30xc692No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)

                          Code Manipulations

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6600 Parent PID: 5800

                          General

                          Start time:16:33:07
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\PAYMENT-PO#45678.exe'
                          Imagebase:0xd40000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.208087031.00000000044CB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.208570601.0000000004624000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.208595608.0000000004656000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6688 Parent PID: 6600

                          General

                          Start time:16:33:08
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Imagebase:0x70000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6736 Parent PID: 6600

                          General

                          Start time:16:33:09
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Imagebase:0x7d0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.203418579.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.473086416.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.203908472.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.473204133.0000000005540000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.468288291.0000000002E01000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.471752842.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.464764845.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Analysis Process: schtasks.exe PID: 6788 Parent PID: 6736

                          General

                          Start time:16:33:12
                          Start date:11/06/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8E26.tmp'
                          Imagebase:0x1230000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: conhost.exe PID: 6800 Parent PID: 6788

                          General

                          Start time:16:33:12
                          Start date:11/06/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6b2800000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: schtasks.exe PID: 6844 Parent PID: 6736

                          General

                          Start time:16:33:13
                          Start date:11/06/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91A2.tmp'
                          Imagebase:0x1230000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: conhost.exe PID: 6860 Parent PID: 6844

                          General

                          Start time:16:33:13
                          Start date:11/06/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6b2800000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Analysis Process: PAYMENT-PO#45678.exe PID: 6920 Parent PID: 528

                          General

                          Start time:16:33:15
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe 0
                          Imagebase:0x570000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.225394409.0000000003E54000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.225464738.0000000003E86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.224642029.0000000003CFB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Analysis Process: dhcpmon.exe PID: 6968 Parent PID: 528

                          General

                          Start time:16:33:15
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                          Imagebase:0xd30000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.227725816.0000000004646000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.227089559.00000000044BB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.227679880.0000000004614000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 41%, ReversingLabs
                          Reputation:low

                          Analysis Process: PAYMENT-PO#45678.exe PID: 7020 Parent PID: 6920

                          General

                          Start time:16:33:16
                          Start date:11/06/2021
                          Path:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\PAYMENT-PO#45678.exe
                          Imagebase:0xde0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.220271257.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.240713168.0000000004339000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.240622188.0000000003331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000000.219525412.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.239124014.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Analysis Process: dhcpmon.exe PID: 7040 Parent PID: 6968

                          General

                          Start time:16:33:17
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Imagebase:0x5b0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.240871445.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.242717405.00000000029B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.221925300.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.243007517.00000000039B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.221405279.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Analysis Process: dhcpmon.exe PID: 4952 Parent PID: 3388

                          General

                          Start time:16:33:23
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                          Imagebase:0x1f0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.242332686.0000000003A60000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.241762181.000000000393B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Analysis Process: dhcpmon.exe PID: 6340 Parent PID: 4952

                          General

                          Start time:16:33:25
                          Start date:11/06/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Imagebase:0x7b0000
                          File size:1438208 bytes
                          MD5 hash:438425F009B373154E4E3629C3539581
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.238827557.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.256058278.0000000002C71000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.256103684.0000000002CA8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000000.238326483.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.255169446.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.256151588.0000000003C79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Disassembly

                          Code Analysis

                          Reset < >