Loading ...

Play interactive tourEdit tour

Windows Analysis Report Contact00212399490.exe

Overview

General Information

Sample Name:Contact00212399490.exe
Analysis ID:451851
MD5:fb87d692632732ce29ecc8c5ae64f5cf
SHA1:f636d1dba447fd4f579fd4a85a3cc88062759a99
SHA256:a5a3b625c48719d4e593435c16795b64d61d25bfeaf20fead77c6cac57241ba4
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Contact00212399490.exe (PID: 6856 cmdline: 'C:\Users\user\Desktop\Contact00212399490.exe' MD5: FB87D692632732CE29ECC8C5AE64F5CF)
    • Contact00212399490.exe (PID: 6852 cmdline: {path} MD5: FB87D692632732CE29ECC8C5AE64F5CF)
      • schtasks.exe (PID: 6564 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp293F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6492 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2D28.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 7024 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: FB87D692632732CE29ECC8C5AE64F5CF)
    • dhcpmon.exe (PID: 6564 cmdline: {path} MD5: FB87D692632732CE29ECC8C5AE64F5CF)
  • dhcpmon.exe (PID: 5908 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: FB87D692632732CE29ECC8C5AE64F5CF)
    • dhcpmon.exe (PID: 5304 cmdline: {path} MD5: FB87D692632732CE29ECC8C5AE64F5CF)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "238a496b-ffb2-448a-bc1f-f27aa516", "Group": "Default", "Domain1": "", "Domain2": "hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu", "Port": 2017, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.415", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x238a7:$a: NanoCore
    • 0x23900:$a: NanoCore
    • 0x2393d:$a: NanoCore
    • 0x239b6:$a: NanoCore
    • 0x23909:$b: ClientPlugin
    • 0x23946:$b: ClientPlugin
    • 0x24244:$b: ClientPlugin
    • 0x24251:$b: ClientPlugin
    • 0x1b62f:$e: KeepAlive
    • 0x23d91:$g: LogClientMessage
    • 0x23d11:$i: get_Connected
    • 0x158d9:$j: #=q
    • 0x15909:$j: #=q
    • 0x15945:$j: #=q
    • 0x1596d:$j: #=q
    • 0x1599d:$j: #=q
    • 0x159cd:$j: #=q
    • 0x159fd:$j: #=q
    • 0x15a2d:$j: #=q
    • 0x15a49:$j: #=q
    • 0x15a79:$j: #=q
    00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x49ab5:$a: NanoCore
      • 0x49b0e:$a: NanoCore
      • 0x49b4b:$a: NanoCore
      • 0x49bc4:$a: NanoCore
      • 0x5d26f:$a: NanoCore
      • 0x5d284:$a: NanoCore
      • 0x5d2b9:$a: NanoCore
      • 0x7626b:$a: NanoCore
      • 0x76280:$a: NanoCore
      • 0x762b5:$a: NanoCore
      • 0x49b17:$b: ClientPlugin
      • 0x49b54:$b: ClientPlugin
      • 0x4a452:$b: ClientPlugin
      • 0x4a45f:$b: ClientPlugin
      • 0x5d02b:$b: ClientPlugin
      • 0x5d046:$b: ClientPlugin
      • 0x5d076:$b: ClientPlugin
      • 0x5d28d:$b: ClientPlugin
      • 0x5d2c2:$b: ClientPlugin
      • 0x76027:$b: ClientPlugin
      • 0x76042:$b: ClientPlugin
      00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 48 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        18.2.dhcpmon.exe.4591288.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        18.2.dhcpmon.exe.4591288.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        18.2.dhcpmon.exe.4591288.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          18.2.dhcpmon.exe.4591288.1.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          23.2.Contact00212399490.exe.411eb0c.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xd9ad:$x1: NanoCore.ClientPluginHost
          • 0xd9da:$x2: IClientNetworkHost
          Click to see the 106 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "238a496b-ffb2-448a-bc1f-f27aa516", "Group": "Default", "Domain1": "", "Domain2": "hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu", "Port": 2017, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.415", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 13%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Contact00212399490.exeVirustotal: Detection: 18%Perma Link
          Source: Contact00212399490.exeReversingLabs: Detection: 13%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41bc131.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f13135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4123135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.43a3135.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c94629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.909997625.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Contact00212399490.exeJoe Sandbox ML: detected
          Source: 25.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 23.2.Contact00212399490.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 24.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 8.2.Contact00212399490.exe.5c90000.10.unpackAvira: Label: TR/NanoCore.fadte
          Source: 8.2.Contact00212399490.exe.41b7b08.4.unpackAvira: Label: TR/NanoCore.fadte
          Source: 8.2.Contact00212399490.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: Contact00212399490.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: Contact00212399490.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb_RO source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: System.pdbL source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.pdbws source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: indows\System.pdbpdbtem.pdbE= source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.pdb source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: Contact00212399490.exe, 00000000.00000002.734969174.0000000006820000.00000002.00000001.sdmp, Contact00212399490.exe, 00000008.00000002.911346210.0000000005990000.00000002.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.812043442.0000000006350000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.830334122.0000000006C70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.836410833.0000000006A90000.00000002.00000001.sdmp
          Source: Binary string: C:\Windows\System.pdb source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49765 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 202.55.134.123:2017
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs:
          Source: Malware configuration extractorURLs: hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 202.55.134.123:2017
          Source: unknownDNS traffic detected: queries for: hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu
          Source: Contact00212399490.exe, 00000000.00000003.639271717.0000000000E7D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Contact00212399490.exe, 00000000.00000003.642398595.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Contact00212399490.exe, 00000000.00000003.642015326.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC_
          Source: Contact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCs
          Source: Contact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
          Source: Contact00212399490.exe, 00000000.00000003.642015326.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexcD
          Source: Contact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgne
          Source: Contact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Contact00212399490.exe, 00000000.00000003.642398595.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comuct
          Source: Contact00212399490.exe, 00000000.00000003.642184117.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
          Source: Contact00212399490.exe, 00000000.00000003.642215882.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypol
          Source: Contact00212399490.exe, 00000000.00000003.642398595.000000000520E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypoooy
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Contact00212399490.exe, 00000000.00000003.645303374.000000000520D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 00000000.00000003.646007545.000000000520D000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Contact00212399490.exe, 00000000.00000003.646705441.000000000520D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.e
          Source: Contact00212399490.exe, 00000000.00000003.645703378.000000000520D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers1
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 00000000.00000003.646049131.000000000520D000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Contact00212399490.exe, 00000000.00000003.652381189.0000000005205000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersI
          Source: Contact00212399490.exe, 00000000.00000003.646049131.000000000520D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersh
          Source: Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdg$n
          Source: Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed$%
          Source: Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicd
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Contact00212399490.exe, 00000000.00000003.639853812.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comchG
          Source: Contact00212399490.exe, 00000000.00000003.639827878.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
          Source: Contact00212399490.exe, 00000000.00000003.639802972.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
          Source: Contact00212399490.exe, 00000000.00000003.639827878.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn-u
          Source: Contact00212399490.exe, 00000000.00000003.641326742.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 00000000.00000003.641302171.000000000520D000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Contact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Contact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ra
          Source: Contact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne
          Source: Contact00212399490.exe, 00000000.00000003.641302171.000000000520D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm
          Source: Contact00212399490.exe, 00000000.00000003.641326742.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp.
          Source: Contact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnsofj
          Source: Contact00212399490.exe, 00000000.00000003.649077373.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Contact00212399490.exe, 00000000.00000003.639853812.00000000051EB000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Contact00212399490.exe, 00000000.00000003.640797031.00000000051D9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr%(
          Source: dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Contact00212399490.exe, 00000000.00000003.640085856.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com?GF
          Source: Contact00212399490.exe, 00000000.00000003.640128252.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comEG
          Source: Contact00212399490.exe, 00000000.00000003.640085856.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comFLG9
          Source: Contact00212399490.exe, 00000000.00000003.640128252.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcm?GF
          Source: Contact00212399490.exe, 00000000.00000003.640128252.00000000051EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlichG
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de~=
          Source: Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Contact00212399490.exe, 00000000.00000002.725089805.0000000000EA8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: Contact00212399490.exe, 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41bc131.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f13135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4123135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.43a3135.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c94629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.909997625.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 23.2.Contact00212399490.exe.411eb0c.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.3373ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.439eb0c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.411eb0c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.Contact00212399490.exe.59f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.2ee3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.Contact00212399490.exe.41bc131.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.Contact00212399490.exe.3161280.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.dhcpmon.exe.439eb0c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.2.Contact00212399490.exe.5c90000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.Contact00212399490.exe.5c90000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.3f13135.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 23.2.Contact00212399490.exe.4123135.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.43a3135.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.2.Contact00212399490.exe.41b7b08.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.3f0eb0c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.2.dhcpmon.exe.3f0eb0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.2.Contact00212399490.exe.5c94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 8.2.Contact00212399490.exe.41b7b08.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 23.2.Contact00212399490.exe.30f3980.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000002.911502248.00000000059F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          .NET source code contains very large stringsShow sources
          Source: Contact00212399490.exe, Group.csLong String: Length: 32771
          Source: 0.0.Contact00212399490.exe.6b0000.0.unpack, Group.csLong String: Length: 32771
          Source: 0.2.Contact00212399490.exe.6b0000.0.unpack, Group.csLong String: Length: 32771
          Source: dhcpmon.exe.8.dr, Group.csLong String: Length: 32771
          Source: 8.2.Contact00212399490.exe.900000.1.unpack, Group.csLong String: Length: 32771
          Source: 8.0.Contact00212399490.exe.900000.0.unpack, Group.csLong String: Length: 32771
          Source: 12.0.Contact00212399490.exe.5e0000.0.unpack, Group.csLong String: Length: 32771
          Source: 12.2.Contact00212399490.exe.5e0000.0.unpack, Group.csLong String: Length: 32771
          Source: 14.0.dhcpmon.exe.ec0000.0.unpack, Group.csLong String: Length: 32771
          Source: 14.2.dhcpmon.exe.ec0000.0.unpack, Group.csLong String: Length: 32771
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F35268
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F38240
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F36210
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F34BF0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3DF90
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F37370
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3DD46
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F30148
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3A538
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3B4F0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3B4A0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F39C90
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F36E48
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3DA36
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3C410
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3CA10
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F39A08
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3C408
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3CA0C
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3F3FA
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F399F8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3C1D0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3C1C0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F39FA8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3A3A8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F39F98
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3A398
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F38F80
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3DF80
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F38F71
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F36170
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F38140
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F30139
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3DB3F
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3BD10
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F35701
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 0_2_04F3BD00
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E65268
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E68240
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E66210
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E64BF0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6DF90
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6736A
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6DD44
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E60148
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6A538
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6B4F0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6B4A0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E69C90
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6F440
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E66E48
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6DA36
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6C402
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6CA02
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E69A08
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6C410
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6CA10
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E64BE1
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E699F8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6C1C0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6C1D0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E69FA8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6A3A8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E68F80
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6DF80
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6818A
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E66191
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E69F98
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6A398
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E68F70
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6DB32
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E60139
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6BD00
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E65701
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 12_2_04E6BD10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FDD3E
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FA538
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F736B
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F0148
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FDF90
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F4BF0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F6210
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F5268
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F8240
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FF33E
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F0139
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F5701
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FBD00
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FBD10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F8F71
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F6170
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FDD44
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F8140
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F9FA8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FA3A8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FF3B2
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F8F80
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FDF80
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F9F98
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FA398
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FF3EF
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F4BE1
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F99F8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FC1C0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FC1D0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FDA36
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F9A08
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FC403
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FCA03
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FC410
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FCA10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F6E48
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FD842
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FB4A0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032F9C90
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_032FB4F0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309A538
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309DD33
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03090148
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309736A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309DF90
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03094BF0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03096210
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03098240
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03095268
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03095701
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309BD00
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309BD10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03090139
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309DD38
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309817F
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03098F70
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309DF81
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03098F80
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03099F98
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309A398
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03096191
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03099FA8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309A3A8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309C1C0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309C1D0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03094BE1
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_030999F8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03099A08
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309C402
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309C410
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309CA10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309DA36
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03096E48
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0309F440
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_03099C90
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_012D2FA8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_012D23A0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_012D306F
          Source: Contact00212399490.exe, 00000000.00000000.638347755.000000000078E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametfXNK.exe> vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000000.00000002.729800351.00000000040C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000000.00000002.725089805.0000000000EA8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000000.00000002.734969174.0000000006820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000000.00000002.730745964.00000000050A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000008.00000000.723780239.00000000009DE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametfXNK.exe> vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000008.00000002.911808408.0000000005C80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000008.00000002.911346210.0000000005990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000008.00000002.913270432.00000000067E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000008.00000002.909454601.0000000003151000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000008.00000002.910467247.00000000052A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Contact00212399490.exe
          Source: Contact00212399490.exe, 0000000C.00000002.809037859.0000000003FB5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Contact00212399490.exe
          Source: Contact00212399490.exe, 0000000C.00000002.803642995.00000000006BE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametfXNK.exe> vs Contact00212399490.exe
          Source: Contact00212399490.exe, 0000000C.00000002.809674483.00000000050D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Contact00212399490.exe
          Source: Contact00212399490.exe, 0000000C.00000002.812043442.0000000006350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.818905556.0000000002BD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000000.803177642.000000000088E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametfXNK.exe> vs Contact00212399490.exe
          Source: Contact00212399490.exeBinary or memory string: OriginalFilenametfXNK.exe> vs Contact00212399490.exe
          Source: Contact00212399490.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 23.2.Contact00212399490.exe.411eb0c.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.411eb0c.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.3373ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.3373ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.439eb0c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.439eb0c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.411eb0c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.411eb0c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.2.Contact00212399490.exe.59f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.59f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.2ee3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.2ee3ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.2.Contact00212399490.exe.41bc131.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.41bc131.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.2.Contact00212399490.exe.3161280.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.3161280.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.dhcpmon.exe.439eb0c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.439eb0c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 8.2.Contact00212399490.exe.5c90000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.5c90000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.2.Contact00212399490.exe.5c90000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.5c90000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.3f13135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.3f13135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 23.2.Contact00212399490.exe.4123135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.4123135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.43a3135.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.43a3135.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 8.2.Contact00212399490.exe.41b7b08.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.41b7b08.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.3f0eb0c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.3f0eb0c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.2.dhcpmon.exe.3f0eb0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.3f0eb0c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 8.2.Contact00212399490.exe.5c94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.5c94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 8.2.Contact00212399490.exe.41b7b08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.41b7b08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 23.2.Contact00212399490.exe.30f3980.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.30f3980.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000002.911502248.00000000059F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000002.911502248.00000000059F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Contact00212399490.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@18/9@13/1
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Contact00212399490.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_01
          Source: C:\Users\user\Desktop\Contact00212399490.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\Desktop\Contact00212399490.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{238a496b-ffb2-448a-bc1f-f27aa51697ac}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Users\user\AppData\Local\Temp\tmp293F.tmpJump to behavior
          Source: Contact00212399490.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: Contact00212399490.exeVirustotal: Detection: 18%
          Source: Contact00212399490.exeReversingLabs: Detection: 13%
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile read: C:\Users\user\Desktop\Contact00212399490.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Contact00212399490.exe 'C:\Users\user\Desktop\Contact00212399490.exe'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp293F.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2D28.tmp'
          Source: unknownProcess created: C:\Users\user\Desktop\Contact00212399490.exe C:\Users\user\Desktop\Contact00212399490.exe 0
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp293F.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2D28.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: Contact00212399490.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: Contact00212399490.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb_RO source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: System.pdbL source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.pdbws source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: indows\System.pdbpdbtem.pdbE= source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.pdb source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: Contact00212399490.exe, 00000000.00000002.734969174.0000000006820000.00000002.00000001.sdmp, Contact00212399490.exe, 00000008.00000002.911346210.0000000005990000.00000002.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.812043442.0000000006350000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.830334122.0000000006C70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.836410833.0000000006A90000.00000002.00000001.sdmp
          Source: Binary string: C:\Windows\System.pdb source: Contact00212399490.exe, 00000008.00000002.909052736.0000000002E05000.00000004.00000040.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Contact00212399490.exe, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Contact00212399490.exe.6b0000.0.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Contact00212399490.exe.6b0000.0.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: dhcpmon.exe.8.dr, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.Contact00212399490.exe.900000.1.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.Contact00212399490.exe.900000.0.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.0.Contact00212399490.exe.5e0000.0.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.2.Contact00212399490.exe.5e0000.0.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 14.0.dhcpmon.exe.ec0000.0.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 14.2.dhcpmon.exe.ec0000.0.unpack, TaskEightBestOil.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_044661B7 push ebp; retf
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_044661B7 push ebp; retf
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_044661B7 push ebp; retf
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_044661B7 push ebp; retf
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_0446A45F pushad ; iretd
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_0446B973 push ebx; ret
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_044661B7 push ebp; retf
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_044661B7 push ebp; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.70970971549
          Source: initial sampleStatic PE information: section name: .text entropy: 7.70970971549
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 8.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp293F.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Users\user\Desktop\Contact00212399490.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 6712, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Contact00212399490.exe, 00000000.00000002.726280917.0000000002DBD000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.805643209.0000000002CAD000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.816829968.00000000036CD000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Contact00212399490.exe, 00000000.00000002.726280917.0000000002DBD000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.805643209.0000000002CAD000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.816829968.00000000036CD000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 8_3_0445F0B9 sldt word ptr [eax]
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeWindow / User API: foregroundWindowGot 650
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6876Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6640Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6640Thread sleep count: 172 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6640Thread sleep count: 188 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6640Thread sleep count: 41 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6584Thread sleep count: 41 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6584Thread sleep time: -820000s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6736Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6972Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4808Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6492Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5264Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5340Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: Contact00212399490.exe, 00000008.00000002.913270432.00000000067E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Contact00212399490.exe, 00000008.00000002.913270432.00000000067E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: Contact00212399490.exe, 00000008.00000002.913270432.00000000067E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: dhcpmon.exe, 00000012.00000002.830762180.000000000347D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: Contact00212399490.exe, 00000008.00000002.913270432.00000000067E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Contact00212399490.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Contact00212399490.exeMemory written: C:\Users\user\Desktop\Contact00212399490.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\Contact00212399490.exeMemory written: C:\Users\user\Desktop\Contact00212399490.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp293F.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2D28.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: Contact00212399490.exe, 00000008.00000002.909903375.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Program Managerh
          Source: Contact00212399490.exe, 00000008.00000002.909518228.00000000031A4000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: Contact00212399490.exe, 00000008.00000002.908766271.00000000016C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: Contact00212399490.exe, 00000008.00000002.908766271.00000000016C0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: Contact00212399490.exe, 00000008.00000002.908766271.00000000016C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41bc131.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f13135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4123135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.43a3135.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c94629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.909997625.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORY

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: Contact00212399490.exe, 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: Contact00212399490.exe, 00000008.00000002.909454601.0000000003151000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: Contact00212399490.exe, 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: Contact00212399490.exe, 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.411eb0c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.4399cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41bc131.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.439eb0c.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Contact00212399490.exe.3ed1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c90000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f13135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f09cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4123135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.43a3135.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3f0eb0c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.5c94629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.4119cd6.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.41b7b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.dhcpmon.exe.47e1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Contact00212399490.exe.3dc1288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.dhcpmon.exe.4591288.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.909997625.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 6032, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5304, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6564, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Security Software Discovery21Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451851 Sample: Contact00212399490.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 48 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 2->48 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 12 other signatures 2->58 9 Contact00212399490.exe 3 2->9         started        13 Contact00212399490.exe 2 2->13         started        15 dhcpmon.exe 2 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 file5 46 C:\Users\user\...\Contact00212399490.exe.log, ASCII 9->46 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 9->62 64 Injects a PE file into a foreign processes 9->64 19 Contact00212399490.exe 1 15 9->19         started        24 Contact00212399490.exe 2 13->24         started        26 dhcpmon.exe 15->26         started        28 dhcpmon.exe 2 17->28         started        signatures6 process7 dnsIp8 50 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 202.55.134.123, 2017, 49742, 49751 ADTEC-AS-VNADTECMediaJointStockCompanyVN Viet Nam 19->50 38 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->40 dropped 42 C:\Users\user\AppData\Local\...\tmp293F.tmp, XML 19->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->44 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->60 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        file9 signatures10 process11 process12 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Contact00212399490.exe19%VirustotalBrowse
          Contact00212399490.exe13%ReversingLabsByteCode-MSIL.Trojan.Woreflint
          Contact00212399490.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe13%ReversingLabsByteCode-MSIL.Trojan.Woreflint

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          25.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          23.2.Contact00212399490.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          24.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          8.2.Contact00212399490.exe.5c90000.10.unpack100%AviraTR/NanoCore.fadteDownload File
          8.2.Contact00212399490.exe.41b7b08.4.unpack100%AviraTR/NanoCore.fadteDownload File
          8.2.Contact00212399490.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          0%Avira URL Cloudsafe
          http://www.carterandcone.comTC_0%Avira URL Cloudsafe
          http://www.urwpp.de~=0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.founder.c0%URL Reputationsafe
          http://www.founder.c0%URL Reputationsafe
          http://www.founder.c0%URL Reputationsafe
          http://www.founder.c0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.fontbureau.comessed$%0%Avira URL Cloudsafe
          http://www.carterandcone.comypo0%URL Reputationsafe
          http://www.carterandcone.comypo0%URL Reputationsafe
          http://www.carterandcone.comypo0%URL Reputationsafe
          http://www.carterandcone.comypo0%URL Reputationsafe
          http://www.founder.com.cn/cnp.0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.fonts.comic0%URL Reputationsafe
          http://www.fonts.comic0%URL Reputationsafe
          http://www.fonts.comic0%URL Reputationsafe
          http://www.founder.com.cn/cnm0%URL Reputationsafe
          http://www.founder.com.cn/cnm0%URL Reputationsafe
          http://www.founder.com.cn/cnm0%URL Reputationsafe
          http://www.fontbureau.comlicd0%Avira URL Cloudsafe
          http://www.tiro.comlichG0%Avira URL Cloudsafe
          http://www.carterandcone.comypol0%Avira URL Cloudsafe
          http://www.fonts.comn0%URL Reputationsafe
          http://www.fonts.comn0%URL Reputationsafe
          http://www.fonts.comn0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.fonts.comchG0%Avira URL Cloudsafe
          http://www.tiro.comFLG90%Avira URL Cloudsafe
          http://www.carterandcone.comuct0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.carterandcone.comic0%URL Reputationsafe
          http://www.carterandcone.comic0%URL Reputationsafe
          http://www.carterandcone.comic0%URL Reputationsafe
          http://www.founder.com.cn/cne0%URL Reputationsafe
          http://www.founder.com.cn/cne0%URL Reputationsafe
          http://www.founder.com.cn/cne0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.carterandcone.comd0%URL Reputationsafe
          http://www.carterandcone.comd0%URL Reputationsafe
          http://www.carterandcone.comd0%URL Reputationsafe
          http://www.founder.com.cn/cn/ra0%Avira URL Cloudsafe
          http://www.fonts.comn-u0%Avira URL Cloudsafe
          http://www.carterandcone.comexcD0%Avira URL Cloudsafe
          http://www.fontbureau.comdg$n0%Avira URL Cloudsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.tiro.comcm?GF0%Avira URL Cloudsafe
          http://www.carterandcone.comypoooy0%Avira URL Cloudsafe
          http://en.w0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu
          202.55.134.123
          truefalse
            high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            true
            • Avira URL Cloud: safe
            low
            hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eutrue
            • Avira URL Cloud: safe
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designersIContact00212399490.exe, 00000000.00000003.652381189.0000000005205000.00000004.00000001.sdmpfalse
              high
              http://www.carterandcone.comTC_Contact00212399490.exe, 00000000.00000003.642015326.000000000520E000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low
              http://www.fontbureau.com/designersGContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                high
                http://www.urwpp.de~=Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.fontbureau.com/designers/?Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bTheContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                    high
                    http://www.tiro.comdhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designersdhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                      high
                      http://www.founder.cContact00212399490.exe, 00000000.00000003.641326742.00000000051D4000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.goodfont.co.krContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.comContact00212399490.exe, 00000000.00000003.642398595.000000000520E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comessed$%Contact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.carterandcone.comypoContact00212399490.exe, 00000000.00000003.642184117.000000000520E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cnp.Contact00212399490.exe, 00000000.00000003.641326742.00000000051D4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.sajatypeworks.comContact00212399490.exe, 00000000.00000003.639853812.00000000051EB000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netDContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designershContact00212399490.exe, 00000000.00000003.646049131.000000000520D000.00000004.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/cTheContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htmContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.comContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fonts.comicContact00212399490.exe, 00000000.00000003.639827878.00000000051EB000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnmContact00212399490.exe, 00000000.00000003.641302171.000000000520D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.comlicdContact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.tiro.comlichGContact00212399490.exe, 00000000.00000003.640128252.00000000051EB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.carterandcone.comypolContact00212399490.exe, 00000000.00000003.642215882.000000000520E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fonts.comnContact00212399490.exe, 00000000.00000003.639802972.00000000051EB000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/DPleaseContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fonts.comchGContact00212399490.exe, 00000000.00000003.639853812.00000000051EB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.tiro.comFLG9Contact00212399490.exe, 00000000.00000003.640085856.00000000051EB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.carterandcone.comuctContact00212399490.exe, 00000000.00000003.642398595.000000000520E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fonts.comContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                          high
                          http://www.sandoll.co.krContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.urwpp.deDPleaseContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.zhongyicts.com.cnContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.sakkal.comContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.comicContact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cneContact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.apache.org/licenses/LICENSE-2.0Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                            high
                            http://www.fontbureau.comContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                              high
                              http://www.galapagosdesign.com/Contact00212399490.exe, 00000000.00000003.649077373.00000000051DD000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.comdContact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn/raContact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fonts.comn-uContact00212399490.exe, 00000000.00000003.639827878.00000000051EB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.carterandcone.comexcDContact00212399490.exe, 00000000.00000003.642015326.000000000520E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.comdg$nContact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://www.fontbureau.comaContact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.comdContact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.tiro.comcm?GFContact00212399490.exe, 00000000.00000003.640128252.00000000051EB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.carterandcone.comypoooyContact00212399490.exe, 00000000.00000003.642398595.000000000520E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://en.wContact00212399490.exe, 00000000.00000003.639271717.0000000000E7D000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.comlContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cnsofjContact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.founder.com.cn/cn/Contact00212399490.exe, 00000000.00000003.641509491.00000000051D4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                                high
                                http://www.tiro.comEGContact00212399490.exe, 00000000.00000003.640128252.00000000051EB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.founder.com.cn/cnContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 00000000.00000003.641302171.000000000520D000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/frere-user.htmlContact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 00000000.00000003.646007545.000000000520D000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers0.eContact00212399490.exe, 00000000.00000003.646705441.000000000520D000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.sandoll.co.kr%(Contact00212399490.exe, 00000000.00000003.640797031.00000000051D9000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    low
                                    http://www.fontbureau.com/designers8Contact00212399490.exe, 00000000.00000002.734234934.00000000063E2000.00000004.00000001.sdmp, Contact00212399490.exe, 00000000.00000003.646049131.000000000520D000.00000004.00000001.sdmp, Contact00212399490.exe, 0000000C.00000002.809781276.00000000051F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.823267331.0000000005B10000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.834967095.0000000005940000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.fontbureau.comalsContact00212399490.exe, 00000000.00000003.647389005.00000000051D4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.carterandcone.comTCsContact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.com/designers1Contact00212399490.exe, 00000000.00000003.645703378.000000000520D000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.fontbureau.com/designers/Contact00212399490.exe, 00000000.00000003.645303374.000000000520D000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.tiro.com?GFContact00212399490.exe, 00000000.00000003.640085856.00000000051EB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.carterandcone.comgneContact00212399490.exe, 00000000.00000003.641849809.000000000520E000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          202.55.134.123
                                          hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euViet Nam
                                          45540ADTEC-AS-VNADTECMediaJointStockCompanyVNfalse

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:451851
                                          Start date:21.07.2021
                                          Start time:12:37:11
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 13m 17s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:Contact00212399490.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:27
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@18/9@13/1
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 0.3% (good quality ratio 0%)
                                          • Quality average: 0%
                                          • Quality standard deviation: 0%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                          • TCP Packets have been reduced to 100
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.42.151.234, 23.54.113.53, 13.88.21.125, 52.147.198.201, 20.82.209.183, 13.107.4.50, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.82.209.104
                                          • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, Edge-Prod-ZRHr0.env.au.au-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          12:38:36AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          12:38:37Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Contact00212399490.exe" s>$(Arg0)
                                          12:38:38API Interceptor675x Sleep call for process: Contact00212399490.exe modified
                                          12:38:40Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):898560
                                          Entropy (8bit):7.703248488617781
                                          Encrypted:false
                                          SSDEEP:24576:mT82zdO4+ysx5W8EtKQaa4Jx4NYDup307r:mY2WyCW8IdadS6o3c
                                          MD5:FB87D692632732CE29ECC8C5AE64F5CF
                                          SHA1:F636D1DBA447FD4F579FD4A85A3CC88062759A99
                                          SHA-256:A5A3B625C48719D4E593435C16795B64D61D25BFEAF20FEAD77C6CAC57241BA4
                                          SHA-512:8382429513624018B113B5B9470A08DB09399EF4223AC16CC2FB067F0A0B584938420D5591696AE52DD3DCDA945A8B7120BB35038015F0288678E0329C50AFDA
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 13%
                                          Reputation:unknown
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Kn.`..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......H....{..........H...XJ...........................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..*".(.....*..{....*"..}....*...0..................... ....(....... ....(.......(....o.....+R..(........(......(........,.....(....(.......(......(..........,.....(....(........(....-...........o.........+...*........0._........0......................(........(.......(....o.....+R..(........(......
                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Reputation:unknown
                                          Preview: [ZoneTransfer]....ZoneId=0
                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Contact00212399490.exe.log
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):525
                                          Entropy (8bit):5.2874233355119316
                                          Encrypted:false
                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                          Malicious:true
                                          Reputation:unknown
                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):525
                                          Entropy (8bit):5.2874233355119316
                                          Encrypted:false
                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                          Malicious:false
                                          Reputation:unknown
                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                          C:\Users\user\AppData\Local\Temp\tmp293F.tmp
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1308
                                          Entropy (8bit):5.12418874087686
                                          Encrypted:false
                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YEbxxtn:cbk4oL600QydbQxIYODOLedq3Yxj
                                          MD5:18CD46F44E36B957AB997F35FE871E64
                                          SHA1:9C24D0D7BD98B7B5BD1198544D17F126B00DD646
                                          SHA-256:57DF8B050EE800C4397F729C6DE44247C983F28CB326844C1F370377FD94E25D
                                          SHA-512:277F2CB43E919804723AA0CDABBD6FFAB3EF36DFD94E533D0CC2148AE6D0FB9216F4C2EA80B68E020635404D9FEF986D9212D0BAFBC6E52287DE479AB2F8BF85
                                          Malicious:true
                                          Reputation:unknown
                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                          C:\Users\user\AppData\Local\Temp\tmp2D28.tmp
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1310
                                          Entropy (8bit):5.109425792877704
                                          Encrypted:false
                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                          Malicious:false
                                          Reputation:unknown
                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):2552
                                          Entropy (8bit):7.024371743172393
                                          Encrypted:false
                                          SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw0:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                          MD5:881D2F4B245BF6C5FC7A6CA720D59D5E
                                          SHA1:4BFC165F42F888943ED858A289D0B7368986AA8A
                                          SHA-256:79655C30BBE54988E098C7759D7614CB980AAAB2FBB60E7F8937CA8F9C95420F
                                          SHA-512:22E6D650E1DD3730D7B126B80E262788E0FDDFAA2E1C12B599DC85FB3C23D143A6D5F94D048EBE4BA05382BE2E8C85D996BAC3791E1F4F4808771D29ACC25110
                                          Malicious:false
                                          Reputation:unknown
                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:Non-ISO extended-ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):8
                                          Entropy (8bit):3.0
                                          Encrypted:false
                                          SSDEEP:3:3B:R
                                          MD5:E32B02C0E48C9FECE418577AC3AAC519
                                          SHA1:5576218D2FF37185E95318845A45593D2F4D0FDC
                                          SHA-256:C24C9CE4DAFDE4A4B010190BA769588700F02F5B795661A330F302D3D824E429
                                          SHA-512:0E533248574FE69134E3975E8B0A15BDC6D40AB6EC665ABAFC8C9479ECF6E017DEB7A75E065F49CCC119EBE5B4C9605EE56E9284E8906B2190242C90A9F23036
                                          Malicious:true
                                          Reputation:unknown
                                          Preview: p..3L.H
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                          Process:C:\Users\user\Desktop\Contact00212399490.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):45
                                          Entropy (8bit):4.322315530038772
                                          Encrypted:false
                                          SSDEEP:3:oNt+WfWmKlxEXWcrJ:oNwvmEx+WcrJ
                                          MD5:7199C8F3347CA649D0EA1CC1FA7B847F
                                          SHA1:C912A36AC1B5731C346B7942C3F11FCE03831A44
                                          SHA-256:F4EF6855EC1D73B5ABB65CE2D2D86230052DA4041B885542ED093C5DCAE68A7A
                                          SHA-512:D53FFDE5CCA4A7B7EEA6B45A15E212FEFCC9EE0E49C01A925D14CA05AE16E42FD1BF3EE4CA0FFCEFFB1470139632051370250393D74CBA01876087252C8894E8
                                          Malicious:false
                                          Reputation:unknown
                                          Preview: C:\Users\user\Desktop\Contact00212399490.exe

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.703248488617781
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:Contact00212399490.exe
                                          File size:898560
                                          MD5:fb87d692632732ce29ecc8c5ae64f5cf
                                          SHA1:f636d1dba447fd4f579fd4a85a3cc88062759a99
                                          SHA256:a5a3b625c48719d4e593435c16795b64d61d25bfeaf20fead77c6cac57241ba4
                                          SHA512:8382429513624018b113b5b9470a08db09399ef4223ac16cc2fb067f0a0b584938420d5591696ae52dd3dcda945a8b7120bb35038015f0288678e0329c50afda
                                          SSDEEP:24576:mT82zdO4+ysx5W8EtKQaa4Jx4NYDup307r:mY2WyCW8IdadS6o3c
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Kn.`..............0.................. ........@.. ....................... ............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4dcaf2
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x60F76E4B [Wed Jul 21 00:46:03 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v2.0.50727
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xdcaa00x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000x5e4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xdaaf80xdac00False0.850891741071data7.70970971549IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xde0000x5e40x600False0.436197916667data4.20784097548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xe00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xde0900x352data
                                          RT_MANIFEST0xde3f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright Josh Preece 2017 - 2021
                                          Assembly Version1.0.5.54
                                          InternalNametfXNK.exe
                                          FileVersion1.0.5.54
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameNavigation Lib
                                          ProductVersion1.0.5.54
                                          FileDescriptionNavigation Lib
                                          OriginalFilenametfXNK.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          07/21/21-12:38:41.785937TCP2025019ET TROJAN Possible NanoCore C2 60B497422017192.168.2.4202.55.134.123
                                          07/21/21-12:38:48.862384TCP2025019ET TROJAN Possible NanoCore C2 60B497512017192.168.2.4202.55.134.123
                                          07/21/21-12:38:56.833319TCP2025019ET TROJAN Possible NanoCore C2 60B497562017192.168.2.4202.55.134.123
                                          07/21/21-12:39:03.346151TCP2025019ET TROJAN Possible NanoCore C2 60B497622017192.168.2.4202.55.134.123
                                          07/21/21-12:39:10.106709TCP2025019ET TROJAN Possible NanoCore C2 60B497632017192.168.2.4202.55.134.123
                                          07/21/21-12:39:16.805209TCP2025019ET TROJAN Possible NanoCore C2 60B497642017192.168.2.4202.55.134.123
                                          07/21/21-12:39:23.706214TCP2025019ET TROJAN Possible NanoCore C2 60B497652017192.168.2.4202.55.134.123
                                          07/21/21-12:39:31.361944TCP2025019ET TROJAN Possible NanoCore C2 60B497672017192.168.2.4202.55.134.123
                                          07/21/21-12:39:37.826277TCP2025019ET TROJAN Possible NanoCore C2 60B497692017192.168.2.4202.55.134.123
                                          07/21/21-12:39:44.438269TCP2025019ET TROJAN Possible NanoCore C2 60B497702017192.168.2.4202.55.134.123
                                          07/21/21-12:39:51.162062TCP2025019ET TROJAN Possible NanoCore C2 60B497712017192.168.2.4202.55.134.123
                                          07/21/21-12:39:57.975899TCP2025019ET TROJAN Possible NanoCore C2 60B497722017192.168.2.4202.55.134.123
                                          07/21/21-12:40:04.177794TCP2025019ET TROJAN Possible NanoCore C2 60B497732017192.168.2.4202.55.134.123

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 21, 2021 12:38:41.425235033 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:41.697909117 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:41.701128960 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:41.785937071 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:42.069710016 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:42.070149899 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:42.395911932 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:42.396059036 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:42.666863918 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:42.667095900 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:42.993674040 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:42.993752003 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.319336891 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.319596052 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.322103977 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.322151899 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.322190046 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.322205067 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.322221994 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.322227001 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.322246075 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.322277069 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.591984987 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592016935 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592042923 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592072964 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592097044 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.592098951 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592133045 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.592142105 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.592156887 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.592201948 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592225075 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592247009 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.592278957 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.592302084 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.726326942 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862052917 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862123013 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862168074 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862181902 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862212896 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862246037 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862307072 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862400055 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862467051 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862493038 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862559080 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862569094 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862600088 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862623930 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862647057 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862663031 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862740993 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862771988 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.862881899 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862910032 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862931967 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.862994909 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.863003016 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:43.863028049 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.863056898 CEST201749742202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:43.863265991 CEST497422017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:48.590820074 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:48.861663103 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:48.861824989 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:48.862384081 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:49.143441916 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:49.146301031 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:49.471112013 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:49.591556072 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:49.862413883 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:49.862500906 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.193304062 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.193489075 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.521418095 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.533118010 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.533170938 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.533205032 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.533240080 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.533363104 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.536310911 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.804126024 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.804245949 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.804306984 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.804389000 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.804405928 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.804496050 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.804599047 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.804658890 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.804749966 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.807061911 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.807168961 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:50.807251930 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:50.984802961 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:51.075762033 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:51.075830936 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:51.075858116 CEST497512017192.168.2.4202.55.134.123
                                          Jul 21, 2021 12:38:51.075875998 CEST201749751202.55.134.123192.168.2.4
                                          Jul 21, 2021 12:38:51.075917959 CEST201749751202.55.134.123192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 21, 2021 12:37:48.910790920 CEST4971453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:48.923541069 CEST53497148.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:49.590452909 CEST5802853192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:49.605416059 CEST53580288.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:50.292915106 CEST5309753192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:50.306498051 CEST53530978.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:51.331161022 CEST4925753192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:51.343931913 CEST53492578.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:51.549416065 CEST6238953192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:51.567630053 CEST53623898.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:52.139972925 CEST4991053192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:52.153664112 CEST53499108.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:54.108809948 CEST5585453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:54.123486996 CEST53558548.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:55.362193108 CEST6454953192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:55.376096964 CEST53645498.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:56.524992943 CEST6315353192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:56.537935972 CEST53631538.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:57.184509039 CEST5299153192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:57.200916052 CEST53529918.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:58.263773918 CEST5370053192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:58.275876045 CEST53537008.8.8.8192.168.2.4
                                          Jul 21, 2021 12:37:59.310570002 CEST5172653192.168.2.48.8.8.8
                                          Jul 21, 2021 12:37:59.325587988 CEST53517268.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:00.103604078 CEST5679453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:00.119663954 CEST53567948.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:10.967164040 CEST5653453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:10.980078936 CEST53565348.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:13.694207907 CEST5662753192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:13.707071066 CEST53566278.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:14.746797085 CEST5662153192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:14.760632038 CEST53566218.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:16.753408909 CEST6311653192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:16.771455050 CEST53631168.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:17.797998905 CEST6407853192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:17.811009884 CEST53640788.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:20.812798023 CEST6480153192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:20.828589916 CEST53648018.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:21.541568041 CEST6172153192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:21.554518938 CEST53617218.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:22.701814890 CEST5125553192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:22.728835106 CEST53512558.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:41.373922110 CEST6152253192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:41.414271116 CEST53615228.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:43.467230082 CEST5233753192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:43.480292082 CEST53523378.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:45.038841963 CEST5504653192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:45.051758051 CEST53550468.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:45.629354000 CEST4961253192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:45.645262957 CEST53496128.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:46.381863117 CEST4928553192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:46.401137114 CEST53492858.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:46.706465960 CEST5060153192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:46.720441103 CEST53506018.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:46.816345930 CEST6087553192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:46.829788923 CEST53608758.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:47.411010981 CEST5644853192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:47.425200939 CEST53564488.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:47.894814968 CEST5917253192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:47.909288883 CEST53591728.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:48.574074030 CEST6242053192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:48.589274883 CEST53624208.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:48.928610086 CEST6057953192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:48.942209005 CEST53605798.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:51.200073004 CEST5018353192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:51.212879896 CEST53501838.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:52.132497072 CEST6153153192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:52.145581961 CEST53615318.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:53.002593040 CEST4922853192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:53.015724897 CEST53492288.8.8.8192.168.2.4
                                          Jul 21, 2021 12:38:56.533895016 CEST5979453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:38:56.562938929 CEST53597948.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:00.361325026 CEST5591653192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:00.379760027 CEST53559168.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:03.043729067 CEST5275253192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:03.069916010 CEST53527528.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:09.667246103 CEST6054253192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:09.680434942 CEST53605428.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:16.450242996 CEST6068953192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:16.504811049 CEST53606898.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:23.007823944 CEST6420653192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:23.021382093 CEST53642068.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:30.595072031 CEST5090453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:30.611829042 CEST53509048.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:31.074716091 CEST5752553192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:31.088162899 CEST53575258.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:32.670160055 CEST5381453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:32.699345112 CEST53538148.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:37.537983894 CEST5341853192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:37.551628113 CEST53534188.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:44.116878033 CEST6283353192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:44.132482052 CEST53628338.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:50.705631971 CEST5926053192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:50.721638918 CEST53592608.8.8.8192.168.2.4
                                          Jul 21, 2021 12:39:57.617206097 CEST4994453192.168.2.48.8.8.8
                                          Jul 21, 2021 12:39:57.630556107 CEST53499448.8.8.8192.168.2.4
                                          Jul 21, 2021 12:40:03.888027906 CEST6330053192.168.2.48.8.8.8
                                          Jul 21, 2021 12:40:03.904207945 CEST53633008.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jul 21, 2021 12:38:41.373922110 CEST192.168.2.48.8.8.80x768cStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:38:48.574074030 CEST192.168.2.48.8.8.80x899Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:38:56.533895016 CEST192.168.2.48.8.8.80xd94dStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:03.043729067 CEST192.168.2.48.8.8.80xfd24Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:09.667246103 CEST192.168.2.48.8.8.80xd668Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:16.450242996 CEST192.168.2.48.8.8.80x1502Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:23.007823944 CEST192.168.2.48.8.8.80xe4f2Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:31.074716091 CEST192.168.2.48.8.8.80x30f9Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:37.537983894 CEST192.168.2.48.8.8.80x8a1fStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:44.116878033 CEST192.168.2.48.8.8.80x4c27Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:50.705631971 CEST192.168.2.48.8.8.80xf9e8Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:57.617206097 CEST192.168.2.48.8.8.80xb4b9Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                          Jul 21, 2021 12:40:03.888027906 CEST192.168.2.48.8.8.80x85fStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jul 21, 2021 12:38:41.414271116 CEST8.8.8.8192.168.2.40x768cNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:38:48.589274883 CEST8.8.8.8192.168.2.40x899No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:38:56.562938929 CEST8.8.8.8192.168.2.40xd94dNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:03.069916010 CEST8.8.8.8192.168.2.40xfd24No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:09.680434942 CEST8.8.8.8192.168.2.40xd668No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:16.504811049 CEST8.8.8.8192.168.2.40x1502No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:23.021382093 CEST8.8.8.8192.168.2.40xe4f2No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:31.088162899 CEST8.8.8.8192.168.2.40x30f9No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:37.551628113 CEST8.8.8.8192.168.2.40x8a1fNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:44.132482052 CEST8.8.8.8192.168.2.40x4c27No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:50.721638918 CEST8.8.8.8192.168.2.40xf9e8No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:39:57.630556107 CEST8.8.8.8192.168.2.40xb4b9No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                          Jul 21, 2021 12:40:03.904207945 CEST8.8.8.8192.168.2.40x85fNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)

                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:12:37:54
                                          Start date:21/07/2021
                                          Path:C:\Users\user\Desktop\Contact00212399490.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\Contact00212399490.exe'
                                          Imagebase:0x6b0000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.729163060.0000000003DA6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:12:38:34
                                          Start date:21/07/2021
                                          Path:C:\Users\user\Desktop\Contact00212399490.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x900000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.911854568.0000000005C90000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.907399609.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.909997625.00000000041AF000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.911502248.00000000059F0000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.911502248.00000000059F0000.00000004.00000001.sdmp, Author: Florian Roth
                                          Reputation:low

                                          General

                                          Start time:12:38:36
                                          Start date:21/07/2021
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp293F.tmp'
                                          Imagebase:0x8c0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:12:38:36
                                          Start date:21/07/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:12:38:37
                                          Start date:21/07/2021
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2D28.tmp'
                                          Imagebase:0x8c0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:12:38:37
                                          Start date:21/07/2021
                                          Path:C:\Users\user\Desktop\Contact00212399490.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\Contact00212399490.exe 0
                                          Imagebase:0x5e0000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.808360718.0000000003C96000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:12:38:37
                                          Start date:21/07/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:12:38:40
                                          Start date:21/07/2021
                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                          Imagebase:0xec0000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.818841483.00000000046B6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 13%, ReversingLabs
                                          Reputation:low

                                          General

                                          Start time:12:38:44
                                          Start date:21/07/2021
                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                          Imagebase:0xcf0000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.833125664.0000000004466000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:12:39:12
                                          Start date:21/07/2021
                                          Path:C:\Users\user\Desktop\Contact00212399490.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x7b0000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.820461412.00000000040D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.817702789.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.820081893.00000000030D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:12:39:15
                                          Start date:21/07/2021
                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0xac0000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.831351914.0000000003351000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.829356083.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.831387157.0000000004351000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:12:39:19
                                          Start date:21/07/2021
                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x640000
                                          File size:898560 bytes
                                          MD5 hash:FB87D692632732CE29ECC8C5AE64F5CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.841910692.0000000002EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.841940350.0000000003EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.840452566.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >