Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Contact00212399490.exe

Overview

General Information

Sample Name:Contact00212399490.exe
Analysis ID:451970
MD5:a6bd3de048002bee7a8d973c887227d8
SHA1:90cf93d93b141654a62ff3a3b6810faef2ff3d69
SHA256:1e3539b9de51134004ff4bff43ab144e748a329265decf8421442cef3109210d
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Contact00212399490.exe (PID: 5560 cmdline: 'C:\Users\user\Desktop\Contact00212399490.exe' MD5: A6BD3DE048002BEE7A8D973C887227D8)
    • Contact00212399490.exe (PID: 6296 cmdline: {path} MD5: A6BD3DE048002BEE7A8D973C887227D8)
      • schtasks.exe (PID: 6332 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp203E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6384 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp23F8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6584 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: A6BD3DE048002BEE7A8D973C887227D8)
    • dhcpmon.exe (PID: 6360 cmdline: {path} MD5: A6BD3DE048002BEE7A8D973C887227D8)
  • dhcpmon.exe (PID: 6760 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A6BD3DE048002BEE7A8D973C887227D8)
    • dhcpmon.exe (PID: 6460 cmdline: {path} MD5: A6BD3DE048002BEE7A8D973C887227D8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x238a7:$a: NanoCore
      • 0x23900:$a: NanoCore
      • 0x2393d:$a: NanoCore
      • 0x239b6:$a: NanoCore
      • 0x23909:$b: ClientPlugin
      • 0x23946:$b: ClientPlugin
      • 0x24244:$b: ClientPlugin
      • 0x24251:$b: ClientPlugin
      • 0x1b62f:$e: KeepAlive
      • 0x23d91:$g: LogClientMessage
      • 0x23d11:$i: get_Connected
      • 0x158d9:$j: #=q
      • 0x15909:$j: #=q
      • 0x15945:$j: #=q
      • 0x1596d:$j: #=q
      • 0x1599d:$j: #=q
      • 0x159cd:$j: #=q
      • 0x159fd:$j: #=q
      • 0x15a2d:$j: #=q
      • 0x15a49:$j: #=q
      • 0x15a79:$j: #=q
      00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 45 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        18.2.Contact00212399490.exe.5f20000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        18.2.Contact00212399490.exe.5f20000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        18.2.Contact00212399490.exe.5f20000.8.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          23.2.Contact00212399490.exe.3ee6d10.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe38d:$x1: NanoCore.ClientPluginHost
          • 0xe3ca:$x2: IClientNetworkHost
          • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          23.2.Contact00212399490.exe.3ee6d10.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe105:$x1: NanoCore Client.exe
          • 0xe38d:$x2: NanoCore.ClientPluginHost
          • 0xf9c6:$s1: PluginCommand
          • 0xf9ba:$s2: FileCommand
          • 0x1086b:$s3: PipeExists
          • 0x16622:$s4: PipeCreated
          • 0xe3b7:$s5: IClientLoggingHost
          Click to see the 87 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Contact00212399490.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.447c131.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f24629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4753135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d43135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425327961.0000000004651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425228255.0000000003651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORY
          Source: 18.2.Contact00212399490.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 18.2.Contact00212399490.exe.5f20000.8.unpackAvira: Label: TR/NanoCore.fadte
          Source: 18.2.Contact00212399490.exe.4477b08.4.unpackAvira: Label: TR/NanoCore.fadte
          Source: 32.2.Contact00212399490.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 33.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: Contact00212399490.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: Contact00212399490.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: indows\symbols\dll\System.pdb source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: System.pdbM source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.pdb source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbILE source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.pdb++X source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: indows\System.pdbpdbtem.pdbar source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: System.pdb source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: Contact00212399490.exe, 00000001.00000002.301522990.0000000001860000.00000002.00000001.sdmp, Contact00212399490.exe, 00000012.00000002.494518626.0000000005C30000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.406688308.0000000006860000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.418954402.0000000006440000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.422381656.00000000060F0000.00000002.00000001.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49724 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 202.55.134.123:2017
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 202.55.134.123:2017
          Source: global trafficTCP traffic: 192.168.2.3:49724 -> 202.55.134.123:2017
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A2EA6 WSARecv,
          Source: unknownDNS traffic detected: queries for: hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Contact00212399490.exe, 00000001.00000003.219884312.0000000005B7D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersv(W
          Source: Contact00212399490.exe, 00000001.00000002.310521742.0000000005B70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comu
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Contact00212399490.exe, 00000001.00000003.213381351.0000000005B8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-
          Source: Contact00212399490.exe, 00000001.00000003.213475793.0000000005B8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcz
          Source: Contact00212399490.exe, 00000001.00000003.213381351.0000000005B8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnc
          Source: Contact00212399490.exe, 00000001.00000003.215883816.0000000005B74000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Contact00212399490.exe, 00000001.00000003.215883816.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Contact00212399490.exe, 00000001.00000003.215883816.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/yp
          Source: Contact00212399490.exe, 00000001.00000003.215694432.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog
          Source: Contact00212399490.exe, 00000001.00000003.215673684.0000000005BAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
          Source: Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eta
          Source: Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
          Source: Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/m
          Source: Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
          Source: Contact00212399490.exe, 00000001.00000003.213559204.0000000005B8B000.00000004.00000001.sdmp, Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Contact00212399490.exe, 00000001.00000003.213559204.0000000005B8B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.compor
          Source: Contact00212399490.exe, 00000001.00000003.212968603.0000000005B8B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Contact00212399490.exe, 00000001.00000003.214876729.0000000005B79000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Contact00212399490.exe, 00000001.00000003.214876729.0000000005B79000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krW
          Source: Contact00212399490.exe, 00000001.00000003.214876729.0000000005B79000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krndor
          Source: dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Contact00212399490.exe, 00000001.00000003.214146485.0000000005B8B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com$
          Source: Contact00212399490.exe, 00000001.00000003.214146485.0000000005B8B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comh
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Contact00212399490.exe, 00000001.00000003.219213854.0000000005B78000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: dhcpmon.exe, 00000018.00000002.403706627.00000000008F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: Contact00212399490.exe, 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.447c131.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f24629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4753135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d43135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425327961.0000000004651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425228255.0000000003651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 18.2.Contact00212399490.exe.5f20000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.Contact00212399490.exe.3421280.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 33.2.dhcpmon.exe.3723ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.Contact00212399490.exe.4477b08.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.dhcpmon.exe.474eb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 32.2.Contact00212399490.exe.3d3eb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 32.2.Contact00212399490.exe.3d3eb0c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.Contact00212399490.exe.4477b08.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.Contact00212399490.exe.5f20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.Contact00212399490.exe.447c131.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 32.2.Contact00212399490.exe.2d13980.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 18.2.Contact00212399490.exe.5f24629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 33.2.dhcpmon.exe.4753135.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 32.2.Contact00212399490.exe.3d43135.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 18.2.Contact00212399490.exe.5c90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 33.2.dhcpmon.exe.474eb0c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000022.00000002.425327961.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000022.00000002.425228255.0000000003651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000012.00000002.494575561.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          .NET source code contains very large stringsShow sources
          Source: Contact00212399490.exe, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 1.2.Contact00212399490.exe.e80000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 1.0.Contact00212399490.exe.e80000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 17.2.Contact00212399490.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 17.0.Contact00212399490.exe.2e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: dhcpmon.exe.18.dr, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 18.0.Contact00212399490.exe.b50000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 18.2.Contact00212399490.exe.b50000.1.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 23.0.Contact00212399490.exe.4e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: 23.2.Contact00212399490.exe.4e0000.0.unpack, uNotepad/CollectionToSort.csLong String: Length: 32771
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A16DA NtQuerySystemInformation,
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A169F NtQuerySystemInformation,
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03445B60
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03443B68
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03444370
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344B558
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03440110
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03442598
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447DB8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03442C20
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03444CE8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_034430B8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03444360
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447BF9
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344A240
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344CE61
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03445A70
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344A230
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447ED4
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03443AD8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447EF3
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344CEA0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03443AAC
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344CEB0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344B2B0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447EB8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344B2B8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03442548
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344B548
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344010C
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03449910
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03449920
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03442589
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447DB0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03448C68
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447C08
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344B808
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344B818
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447820
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03447830
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_034494C8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03444CD8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_034430A8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_03448CB8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_034494B8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017389D8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_01733850
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017323A0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_01732FA8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_0173B2A8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017395D8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_0173306F
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_0173969F
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A15B60
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A14360
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A13B68
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A130A8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A14CD8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A12C10
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17DB7
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A12598
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A10110
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1CEA0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A13AAC
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1CEB0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1B2B0
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17EB8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17EF3
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17ED4
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A13AD8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1A230
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A15A70
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1A240
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17BF9
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A194B8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A194C8
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17820
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17830
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A17C08
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1B808
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1B818
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A18C68
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A12589
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A19920
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1010C
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A19910
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D3B68
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D5B60
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D4360
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D2C10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D4CD8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D30A8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DB548
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D0110
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D2598
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7DB0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DA240
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D5A70
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DA230
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D3AD8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7ED4
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7EF3
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7EB8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DCEB0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DB2B0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D3AAC
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DCEA0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7BF9
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D8C68
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DB818
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7C08
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DB808
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7830
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D7820
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D94C8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D94B8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D9910
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D0101
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D9920
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025D2589
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B130A8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B14CD8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B12C10
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17DB7
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B12598
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B10110
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B14360
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B15B60
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B13B68
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B194B8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B194C8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17830
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17820
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1B817
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1B818
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17C08
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B18C68
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B12589
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B19920
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B19910
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1010C
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1CEB0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1B2B0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17EB8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1CEA0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B13AAC
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17EF3
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B15AFD
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17ED4
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B13AD8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1A230
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1A240
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B17BF9
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B13B2A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B15B49
          Source: Contact00212399490.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.18.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Contact00212399490.exe, 00000001.00000002.321379414.00000000074E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000001.00000000.211780664.0000000000FB3000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerurpD.exe2 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000001.00000002.301522990.0000000001860000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000001.00000002.322118908.0000000008B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000011.00000000.298347434.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerurpD.exe2 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000002.486778537.00000000012AA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000002.492186132.0000000003411000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000003.308294812.0000000001331000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerurpD.exe2 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000002.487995396.0000000001790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000002.495580837.0000000006A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000012.00000002.494518626.0000000005C30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.407222996.0000000007BE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.394897792.00000000040DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.406688308.0000000006860000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000017.00000002.386372991.0000000000613000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerurpD.exe2 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000020.00000000.385765653.0000000000623000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerurpD.exe2 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000020.00000002.410510544.0000000005020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Contact00212399490.exe
          Source: Contact00212399490.exe, 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Contact00212399490.exe
          Source: Contact00212399490.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 18.2.Contact00212399490.exe.5f20000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.5f20000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.Contact00212399490.exe.3421280.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.3421280.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 33.2.dhcpmon.exe.3723ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.dhcpmon.exe.3723ac8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.Contact00212399490.exe.4477b08.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.4477b08.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.dhcpmon.exe.474eb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.dhcpmon.exe.474eb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.Contact00212399490.exe.3d3eb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 32.2.Contact00212399490.exe.3d3eb0c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.Contact00212399490.exe.3d3eb0c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 32.2.Contact00212399490.exe.3d3eb0c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.Contact00212399490.exe.4477b08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.4477b08.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.Contact00212399490.exe.5f20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.5f20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.Contact00212399490.exe.447c131.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.447c131.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.Contact00212399490.exe.2d13980.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 32.2.Contact00212399490.exe.2d13980.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 18.2.Contact00212399490.exe.5f24629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.5f24629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 33.2.dhcpmon.exe.4753135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.dhcpmon.exe.4753135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.Contact00212399490.exe.3d43135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 32.2.Contact00212399490.exe.3d43135.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 18.2.Contact00212399490.exe.5c90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 18.2.Contact00212399490.exe.5c90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 33.2.dhcpmon.exe.474eb0c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 33.2.dhcpmon.exe.474eb0c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000022.00000002.425327961.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000022.00000002.425228255.0000000003651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000012.00000002.494575561.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000012.00000002.494575561.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Contact00212399490.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.18.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@20/9@12/2
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_077F0F52 AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_077F0F1B AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A149A AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A1463 AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Contact00212399490.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_01
          Source: C:\Users\user\Desktop\Contact00212399490.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
          Source: C:\Users\user\Desktop\Contact00212399490.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{238a496b-ffb2-448a-bc1f-f27aa51697ac}
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Users\user\AppData\Local\Temp\tmp203E.tmpJump to behavior
          Source: Contact00212399490.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\Desktop\Contact00212399490.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Contact00212399490.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile read: C:\Users\user\Desktop\Contact00212399490.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Contact00212399490.exe 'C:\Users\user\Desktop\Contact00212399490.exe'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp203E.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp23F8.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\Contact00212399490.exe C:\Users\user\Desktop\Contact00212399490.exe 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp203E.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp23F8.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
          Source: Contact00212399490.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Contact00212399490.exeStatic file information: File size 1249792 > 1048576
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
          Source: Contact00212399490.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: indows\symbols\dll\System.pdb source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: System.pdbM source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.pdb source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbILE source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.pdb++X source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: indows\System.pdbpdbtem.pdbar source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: System.pdb source: Contact00212399490.exe, 00000012.00000002.489301665.00000000030C5000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: Contact00212399490.exe, 00000001.00000002.301522990.0000000001860000.00000002.00000001.sdmp, Contact00212399490.exe, 00000012.00000002.494518626.0000000005C30000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.406688308.0000000006860000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.418954402.0000000006440000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.422381656.00000000060F0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Contact00212399490.exe, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.Contact00212399490.exe.e80000.0.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.Contact00212399490.exe.e80000.0.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.2.Contact00212399490.exe.2e0000.0.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.0.Contact00212399490.exe.2e0000.0.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: dhcpmon.exe.18.dr, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 18.0.Contact00212399490.exe.b50000.0.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 18.2.Contact00212399490.exe.b50000.1.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 23.0.Contact00212399490.exe.4e0000.0.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 23.2.Contact00212399490.exe.4e0000.0.unpack, uNotepad/Form1.cs.Net Code: GGGGGGGGGGGGGGGGGGGG System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 1_2_0344CC68 push ds; ret
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 23_2_02A1CC68 push ds; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_025DCC68 push ds; ret
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 25_2_04B1CC68 push ds; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.74858352039
          Source: initial sampleStatic PE information: section name: .text entropy: 7.74858352039
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 18.2.Contact00212399490.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp203E.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\Contact00212399490.exeFile opened: C:\Users\user\Desktop\Contact00212399490.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 6424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6584, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Contact00212399490.exe, 00000001.00000002.302975646.00000000037F1000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.389986355.0000000002DC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.409362465.0000000002981000.00000004.00000001.sdmp, dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Contact00212399490.exe, 00000001.00000002.302975646.00000000037F1000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.389986355.0000000002DC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.409362465.0000000002981000.00000004.00000001.sdmp, dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeWindow / User API: foregroundWindowGot 621
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 5724Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6476Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6476Thread sleep count: 153 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6504Thread sleep count: 31 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6476Thread sleep count: 157 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6484Thread sleep count: 38 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6464Thread sleep count: 45 > 30
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6464Thread sleep time: -900000s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6524Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6684Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6872Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exe TID: 6336Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5932Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Contact00212399490.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Contact00212399490.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A11C2 GetSystemInfo,
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Contact00212399490.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: Contact00212399490.exe, 00000012.00000002.495580837.0000000006A80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Contact00212399490.exe, 00000012.00000002.495580837.0000000006A80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: Contact00212399490.exe, 00000012.00000002.495580837.0000000006A80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Contact00212399490.exe, 00000012.00000002.486921214.000000000132C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
          Source: dhcpmon.exe, 00000019.00000002.410902694.0000000002A51000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: Contact00212399490.exe, 00000012.00000002.495580837.0000000006A80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Contact00212399490.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Contact00212399490.exeMemory written: C:\Users\user\Desktop\Contact00212399490.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\Contact00212399490.exeMemory written: C:\Users\user\Desktop\Contact00212399490.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp203E.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp23F8.tmp'
          Source: C:\Users\user\Desktop\Contact00212399490.exeProcess created: C:\Users\user\Desktop\Contact00212399490.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: Contact00212399490.exe, 00000012.00000002.493112085.000000000355E000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: Contact00212399490.exe, 00000012.00000002.488469100.0000000001B60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: Contact00212399490.exe, 00000012.00000002.488469100.0000000001B60000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: Contact00212399490.exe, 00000012.00000002.492590543.00000000034A0000.00000004.00000001.sdmpBinary or memory string: Program Manager0
          Source: Contact00212399490.exe, 00000012.00000002.488469100.0000000001B60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Contact00212399490.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.447c131.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f24629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4753135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d43135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425327961.0000000004651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425228255.0000000003651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORY

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: Contact00212399490.exe, 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: Contact00212399490.exe, 00000012.00000002.492186132.0000000003411000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: Contact00212399490.exe, 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: Contact00212399490.exe, 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d3eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.4477b08.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d39cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f20000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.447c131.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Contact00212399490.exe.4916d10.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4749cd6.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.Contact00212399490.exe.5f24629.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.4753135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 32.2.Contact00212399490.exe.3d43135.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.dhcpmon.exe.3aa6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.dhcpmon.exe.474eb0c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.Contact00212399490.exe.3ee6d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.dhcpmon.exe.3b76d10.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.422426870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425327961.0000000004651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.425228255.0000000003651000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6360, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Contact00212399490.exe PID: 5276, type: MEMORY
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A29EA bind,
          Source: C:\Users\user\Desktop\Contact00212399490.exeCode function: 18_2_017A2998 bind,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading2Input Capture21Security Software Discovery11Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol1Jamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451970 Sample: Contact00212399490.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 45 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 2->45 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: NanoCore 2->55 57 6 other signatures 2->57 9 Contact00212399490.exe 3 2->9         started        12 dhcpmon.exe 3 2->12         started        14 Contact00212399490.exe 2 2->14         started        16 dhcpmon.exe 2 2->16         started        signatures3 process4 signatures5 61 Uses schtasks.exe or at.exe to add and modify task schedules 9->61 63 Injects a PE file into a foreign processes 9->63 18 Contact00212399490.exe 1 15 9->18         started        23 Contact00212399490.exe 9->23         started        25 dhcpmon.exe 2 12->25         started        27 Contact00212399490.exe 2 14->27         started        process6 dnsIp7 47 hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu 202.55.134.123, 2017, 49724, 49727 ADTEC-AS-VNADTECMediaJointStockCompanyVN Viet Nam 18->47 49 192.168.2.1 unknown unknown 18->49 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmp203E.tmp, XML 18->41 dropped 43 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->43 dropped 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->59 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          18.2.Contact00212399490.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          18.2.Contact00212399490.exe.5f20000.8.unpack100%AviraTR/NanoCore.fadteDownload File
          18.2.Contact00212399490.exe.4477b08.4.unpack100%AviraTR/NanoCore.fadteDownload File
          32.2.Contact00212399490.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          33.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.sajatypeworks.compor0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnLog0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.sajatypeworks.comt0%URL Reputationsafe
          http://www.sajatypeworks.comt0%URL Reputationsafe
          http://www.sajatypeworks.comt0%URL Reputationsafe
          http://www.sajatypeworks.comt0%URL Reputationsafe
          http://www.fonts.comcz0%Avira URL Cloudsafe
          http://www.fonts.com-0%Avira URL Cloudsafe
          http://www.fonts.comnc0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/eta0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/yp0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.sandoll.co.krW0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/m0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/m0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/m0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.sandoll.co.krndor0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.fontbureau.comu0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/f0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/f0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/f0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.tiro.comh0%URL Reputationsafe
          http://www.tiro.comh0%URL Reputationsafe
          http://www.tiro.comh0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.founder.com.cn/cnh0%URL Reputationsafe
          http://www.founder.com.cn/cnh0%URL Reputationsafe
          http://www.founder.com.cn/cnh0%URL Reputationsafe
          http://www.tiro.com$0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu
          		202.55.134.123
          		truefalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                  		high
                  http://www.sajatypeworks.comporContact00212399490.exe, 00000001.00000003.213559204.0000000005B8B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cnLogContact00212399490.exe, 00000001.00000003.215694432.0000000005B74000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comtContact00212399490.exe, 00000001.00000003.212968603.0000000005B8B000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comczContact00212399490.exe, 00000001.00000003.213475793.0000000005B8B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers?Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fonts.com-Contact00212399490.exe, 00000001.00000003.213381351.0000000005B8B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fonts.comncContact00212399490.exe, 00000001.00000003.213381351.0000000005B8B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comdhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersdhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comContact00212399490.exe, 00000001.00000003.213559204.0000000005B8B000.00000004.00000001.sdmp, Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/Contact00212399490.exe, 00000001.00000003.215883816.0000000005B74000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/etaContact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/ypContact00212399490.exe, 00000001.00000003.215883816.0000000005B74000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnContact00212399490.exe, 00000001.00000003.215883816.0000000005B74000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krWContact00212399490.exe, 00000001.00000003.214876729.0000000005B79000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/tContact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersv(WContact00212399490.exe, 00000001.00000003.219884312.0000000005B7D000.00000004.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp//Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/mContact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Contact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.krndorContact00212399490.exe, 00000001.00000003.214876729.0000000005B79000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8Contact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fonts.comContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krContact00212399490.exe, 00000001.00000003.214876729.0000000005B79000.00000004.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comuContact00212399490.exe, 00000001.00000002.310521742.0000000005B70000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/fContact00212399490.exe, 00000001.00000003.217105531.0000000005B74000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.comhContact00212399490.exe, 00000001.00000003.214146485.0000000005B8B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deContact00212399490.exe, 00000001.00000003.219213854.0000000005B78000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comContact00212399490.exe, 00000001.00000002.311536637.0000000005CE0000.00000002.00000001.sdmp, Contact00212399490.exe, 00000017.00000002.402463014.0000000005330000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.415768184.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000019.00000002.418372960.0000000004F90000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnhContact00212399490.exe, 00000001.00000003.215673684.0000000005BAD000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.com$Contact00212399490.exe, 00000001.00000003.214146485.0000000005B8B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  202.55.134.123
                                  		hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euViet Nam
                                  		45540ADTEC-AS-VNADTECMediaJointStockCompanyVNfalse

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:451970
                                  Start date:21.07.2021
                                  Start time:16:28:53
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 13m 46s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:Contact00212399490.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:38
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@20/9@12/2
                                  EGA Information:Failed
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • TCP Packets have been reduced to 100
                                  • Excluded IPs from analysis (whitelisted): 40.88.32.150, 23.54.113.53, 104.43.193.48, 52.255.188.83, 104.42.151.234, 23.54.113.104, 20.82.210.154, 67.26.83.254, 8.238.85.126, 67.27.158.126, 67.27.157.254, 8.253.145.105, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.50.102.62
                                  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  16:30:29AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  16:30:30Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Contact00212399490.exe" s>$(Arg0)
                                  16:30:30API Interceptor627x Sleep call for process: Contact00212399490.exe modified
                                  16:30:33Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):1249792
                                  Entropy (8bit):7.296203531808417
                                  Encrypted:false
                                  SSDEEP:24576:UpAJYYuDA0w9KPf5iodHl5Rus+xr9Yipb:UtA59ExiodHjczZ
                                  MD5:A6BD3DE048002BEE7A8D973C887227D8
                                  SHA1:90CF93D93B141654A62FF3A3B6810FAEF2FF3D69
                                  SHA-256:1E3539B9DE51134004FF4BFF43AB144E748A329265DECF8421442CEF3109210D
                                  SHA-512:6B84954F6DBE9C7D5A7580C2D917414A7875494508A3D17B4F092D270FECBE695E10F6EB27DE52AAC807D06A432E3902DC9A9671C7BC2B170B46AFBA1B6F30C6
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!.`..............0..*..........NH... ...`....@.. ....................................@..................................G..O....`..$....................`....................................................... ............... ..H............text...t(... ...*.................. ..`.rsrc...$....`.......,..............@..@.reloc.......`......................@..B................0H......H.......................P..(...........................................^..}.....(.......(.....*&..(.....*...0..+.........,..{.......+....,...{....o........(.....*..0..R.........s....}.....s....}.....s....}.....s....}.....{....o......(......{........s....o......{........s....o .....{....r...po!.....{.... .... ....s"...o#.....{.....o$.....{.....o%.....{.....o&.....{.....o'.....{....r...p"...A.. ....s(...o).....{.... =....+s....o......{........s....o .....{....r)..po!.....{....
                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: [ZoneTransfer]....ZoneId=0
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Contact00212399490.exe.log
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):525
                                  Entropy (8bit):5.2874233355119316
                                  Encrypted:false
                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):525
                                  Entropy (8bit):5.2874233355119316
                                  Encrypted:false
                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                  C:\Users\user\AppData\Local\Temp\tmp203E.tmp
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1308
                                  Entropy (8bit):5.127828672196681
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Bbxxtn:cbk4oL600QydbQxIYODOLedq3uxj
                                  MD5:FF1EAD8DD1A327803CC0AF366C4779BE
                                  SHA1:5D8B3A64E735C55AD2D37F07E5324A0D07D3759F
                                  SHA-256:8A7A84F8AA98258FDE30287A469E05946729DC733298243F8E30AA35767A3467
                                  SHA-512:249FC4E9676141BF6B1922CDD5103AE6F224B0255E15FACB806B190BCE83E8766E7567218C16D537FA469F27CC39D0B98518771B997AEA77CEAFC8CC947BB626
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Local\Temp\tmp23F8.tmp
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1310
                                  Entropy (8bit):5.109425792877704
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):2088
                                  Entropy (8bit):7.024371743172393
                                  Encrypted:false
                                  SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                  MD5:0D6805D12813A857D50D42D6EE2CCAB0
                                  SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                                  SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                                  SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:Non-ISO extended-ASCII text, with NEL line terminators
                                  Category:dropped
                                  Size (bytes):8
                                  Entropy (8bit):3.0
                                  Encrypted:false
                                  SSDEEP:3:Ts/t:yt
                                  MD5:A8C6CE27FDAD82203BB2ED4E9A023677
                                  SHA1:A4962AE7B7A6A7435C1EA5452EF02339C9831AA9
                                  SHA-256:E93547D3CF9BAA27E30936696631627B1BF44F07E2AC6793A0A66AE7E264081E
                                  SHA-512:8BD3060CCC25656213053CCA1AC1A6EE7EFF8DF3BC9AE9A084A6ACD4EB673D95D3B7B097992C4725DBB1BAA0EA4BD82DE331712203CAFBFBB8C1155CEFCF6A2B
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: /-...L.H
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                  Process:C:\Users\user\Desktop\Contact00212399490.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):45
                                  Entropy (8bit):4.491418651692922
                                  Encrypted:false
                                  SSDEEP:3:oNWXp5vmKlxEXWcrJ:oNWXpFmEx+WcrJ
                                  MD5:4979705993AF30ED02989EE5ACDC91C6
                                  SHA1:E528A9C66F0045827240596C66B9F1B141503DB1
                                  SHA-256:3918BA8BED55D1B40797E60A055BE2C5B70069A04D1E8162D510FEA3FA121AFF
                                  SHA-512:3165B9EF14162D8AAEBF34C8583A2B9094839DC2F5565D6BBCE7F714C78C4B26C9482B55C23BD2B4515D5CD0754FF88BE701A3540958D9D2218826013CFB315F
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: C:\Users\user\Desktop\Contact00212399490.exe

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.296203531808417
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:Contact00212399490.exe
                                  File size:1249792
                                  MD5:a6bd3de048002bee7a8d973c887227d8
                                  SHA1:90cf93d93b141654a62ff3a3b6810faef2ff3d69
                                  SHA256:1e3539b9de51134004ff4bff43ab144e748a329265decf8421442cef3109210d
                                  SHA512:6b84954f6dbe9c7d5a7580c2d917414a7875494508a3d17b4f092d270fecbe695e10f6eb27de52aac807d06a432e3902dc9a9671c7bc2b170b46afba1b6f30c6
                                  SSDEEP:24576:UpAJYYuDA0w9KPf5iodHl5Rus+xr9Yipb:UtA59ExiodHjczZ
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!.`..............0..*..........NH... ...`....@.. ....................................@................................

                                  File Icon

                                  Icon Hash:f0debeffdffeec70

                                  Static PE Info

                                  General

                                  Entrypoint:0x4d484e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x60F821D2 [Wed Jul 21 13:32:02 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v2.0.50727
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  mov ebp, 2D000002h
                                  add dword ptr [eax], eax
                                  add byte ptr [eax+eax+00390000h], al
                                  add byte ptr [eax], al
                                  pop ss
                                  add byte ptr [eax], al
                                  add byte ptr [edx], cl
                                  add byte ptr [eax], al
                                  add byte ptr [eax+eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd47fc0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x5e324.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1360000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xd28740xd2a00False0.862556797107data7.74858352039IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0xd60000x5e3240x5e400False0.167370378813data5.64060790935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1360000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0xd61a00x468GLS_BINARY_LSB_FIRST
                                  RT_ICON0xd66180x1128dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xd77500x2668dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xd9dc80x4428dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xde2000x11028dBase III DBT, version number 0, next free block index 40
                                  RT_ICON0xef2380x44028data
                                  RT_GROUP_ICON0x1332700x5adata
                                  RT_VERSION0x1332dc0x30cdata
                                  RT_MANIFEST0x1335f80xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright 2016
                                  Assembly Version1.0.0.0
                                  InternalNamerurpD.exe
                                  FileVersion1.0.0.0
                                  CompanyName
                                  LegalTrademarks
                                  Comments
                                  ProductNameuNotepad
                                  ProductVersion1.0.0.0
                                  FileDescriptionuNotepad
                                  OriginalFilenamerurpD.exe

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  07/21/21-16:30:35.553871TCP2025019ET TROJAN Possible NanoCore C2 60B497242017192.168.2.3202.55.134.123
                                  07/21/21-16:30:42.799204TCP2025019ET TROJAN Possible NanoCore C2 60B497272017192.168.2.3202.55.134.123
                                  07/21/21-16:30:49.455492TCP2025019ET TROJAN Possible NanoCore C2 60B497372017192.168.2.3202.55.134.123
                                  07/21/21-16:30:56.688728TCP2025019ET TROJAN Possible NanoCore C2 60B497432017192.168.2.3202.55.134.123
                                  07/21/21-16:31:03.513825TCP2025019ET TROJAN Possible NanoCore C2 60B497442017192.168.2.3202.55.134.123
                                  07/21/21-16:31:10.011751TCP2025019ET TROJAN Possible NanoCore C2 60B497452017192.168.2.3202.55.134.123
                                  07/21/21-16:31:21.029571TCP2025019ET TROJAN Possible NanoCore C2 60B497462017192.168.2.3202.55.134.123
                                  07/21/21-16:31:27.895143TCP2025019ET TROJAN Possible NanoCore C2 60B497492017192.168.2.3202.55.134.123
                                  07/21/21-16:31:40.457114TCP2025019ET TROJAN Possible NanoCore C2 60B497512017192.168.2.3202.55.134.123
                                  07/21/21-16:31:47.386740TCP2025019ET TROJAN Possible NanoCore C2 60B497522017192.168.2.3202.55.134.123
                                  07/21/21-16:31:53.546692TCP2025019ET TROJAN Possible NanoCore C2 60B497532017192.168.2.3202.55.134.123

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 21, 2021 16:30:34.971980095 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:35.240001917 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:35.240109921 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:35.553870916 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:35.835505009 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:35.910645008 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:36.258276939 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:36.596159935 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:36.596249104 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:36.864461899 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:36.864639044 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.188999891 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.189254045 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.522926092 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.523031950 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.549905062 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.549942017 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.549966097 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.549988031 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.549998999 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.550057888 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.550065994 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.818854094 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.818891048 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.818913937 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.818979979 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.818983078 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.819008112 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.819009066 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.819032907 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.819056988 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.819058895 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.819082022 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:37.819082022 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.819132090 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:37.819171906 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087275028 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087322950 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087348938 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087372065 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087389946 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087413073 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087431908 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087433100 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087457895 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087466002 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087481976 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087485075 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087505102 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087519884 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087527990 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087537050 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087559938 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087578058 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087636948 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087660074 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087687016 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087693930 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087707043 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087719917 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087744951 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.087768078 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.087799072 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.179565907 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.355798006 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.355830908 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.355849028 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.355866909 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.355974913 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356021881 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356065989 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356144905 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356163979 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356180906 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356200933 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356209993 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356220961 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356239080 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356260061 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356262922 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356298923 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356765032 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356786966 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356801033 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356815100 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356836081 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356853962 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356872082 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356875896 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356897116 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356914043 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356931925 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356940031 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356952906 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356961012 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.356971979 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.356990099 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.357007980 CEST201749724202.55.134.123192.168.2.3
                                  Jul 21, 2021 16:30:38.357011080 CEST497242017192.168.2.3202.55.134.123
                                  Jul 21, 2021 16:30:38.357029915 CEST201749724202.55.134.123192.168.2.3

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 21, 2021 16:29:38.478157043 CEST6015253192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:38.490333080 CEST53601528.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:38.765969038 CEST5754453192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:38.784801960 CEST53575448.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:41.409511089 CEST5598453192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:41.423029900 CEST53559848.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:42.957885027 CEST6418553192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:42.971385956 CEST53641858.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:43.884037018 CEST6511053192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:43.896986008 CEST53651108.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:45.058481932 CEST5836153192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:45.071131945 CEST53583618.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:45.809716940 CEST6349253192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:45.821981907 CEST53634928.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:47.034693003 CEST6083153192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:47.048397064 CEST53608318.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:47.904930115 CEST6010053192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:47.918292046 CEST53601008.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:48.638524055 CEST5319553192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:48.652415037 CEST53531958.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:49.324219942 CEST5014153192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:49.337150097 CEST53501418.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:50.124772072 CEST5302353192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:50.138154030 CEST53530238.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:50.906544924 CEST4956353192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:50.919977903 CEST53495638.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:51.858632088 CEST5135253192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:51.871627092 CEST53513528.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:52.961407900 CEST5934953192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:52.974575996 CEST53593498.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:53.791084051 CEST5708453192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:53.803999901 CEST53570848.8.8.8192.168.2.3
                                  Jul 21, 2021 16:29:54.781722069 CEST5882353192.168.2.38.8.8.8
                                  Jul 21, 2021 16:29:54.794990063 CEST53588238.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:10.471046925 CEST5756853192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:10.490046024 CEST53575688.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:12.120239019 CEST5054053192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:12.133920908 CEST53505408.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:31.496042013 CEST5436653192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:31.513489962 CEST53543668.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:34.393743992 CEST5303453192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:34.434061050 CEST53530348.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:41.690434933 CEST5776253192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:41.704797983 CEST53577628.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:42.344763041 CEST5543553192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:42.357913971 CEST53554358.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:42.493211985 CEST5071353192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:42.518599033 CEST53507138.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:43.036844969 CEST5613253192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:43.063215971 CEST53561328.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:43.210313082 CEST5898753192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:43.223977089 CEST53589878.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:43.770773888 CEST5657953192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:43.785736084 CEST53565798.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:44.345432043 CEST6063353192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:44.358148098 CEST53606338.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:44.853553057 CEST6129253192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:44.868314028 CEST53612928.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:45.781202078 CEST6361953192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:45.794878960 CEST53636198.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:46.806205034 CEST6493853192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:46.819525957 CEST53649388.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:47.593720913 CEST6194653192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:47.607326031 CEST53619468.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:48.240020990 CEST6491053192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:48.255812883 CEST53649108.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:49.123671055 CEST5212353192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:49.139580011 CEST53521238.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:50.572556019 CEST5613053192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:50.593163967 CEST53561308.8.8.8192.168.2.3
                                  Jul 21, 2021 16:30:56.191770077 CEST5633853192.168.2.38.8.8.8
                                  Jul 21, 2021 16:30:56.204567909 CEST53563388.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:03.229469061 CEST5942053192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:03.242533922 CEST53594208.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:09.695439100 CEST5878453192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:09.735086918 CEST53587848.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:17.659133911 CEST6397853192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:17.672297001 CEST53639788.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:21.911541939 CEST6293853192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:21.924704075 CEST53629388.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:24.739967108 CEST5570853192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:24.766633987 CEST53557088.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:27.549313068 CEST5680353192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:27.589896917 CEST53568038.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:34.319772005 CEST5714553192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:34.372350931 CEST53571458.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:40.173595905 CEST5535953192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:40.186373949 CEST53553598.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:47.102724075 CEST5830653192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:47.115642071 CEST53583068.8.8.8192.168.2.3
                                  Jul 21, 2021 16:31:53.261570930 CEST6412453192.168.2.38.8.8.8
                                  Jul 21, 2021 16:31:53.276655912 CEST53641248.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Jul 21, 2021 16:30:34.393743992 CEST192.168.2.38.8.8.80x5e56Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:30:42.493211985 CEST192.168.2.38.8.8.80x5844Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:30:49.123671055 CEST192.168.2.38.8.8.80xff1cStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:30:56.191770077 CEST192.168.2.38.8.8.80x1a01Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:03.229469061 CEST192.168.2.38.8.8.80xc52bStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:09.695439100 CEST192.168.2.38.8.8.80x6dddStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:17.659133911 CEST192.168.2.38.8.8.80xb620Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:27.549313068 CEST192.168.2.38.8.8.80xec40Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:34.319772005 CEST192.168.2.38.8.8.80x4a6aStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:40.173595905 CEST192.168.2.38.8.8.80x18f3Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:47.102724075 CEST192.168.2.38.8.8.80x8c6aStandard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:53.261570930 CEST192.168.2.38.8.8.80x43f1Standard query (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.euA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Jul 21, 2021 16:30:34.434061050 CEST8.8.8.8192.168.2.30x5e56No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:30:42.518599033 CEST8.8.8.8192.168.2.30x5844No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:30:49.139580011 CEST8.8.8.8192.168.2.30xff1cNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:30:56.204567909 CEST8.8.8.8192.168.2.30x1a01No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:03.242533922 CEST8.8.8.8192.168.2.30xc52bNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:09.735086918 CEST8.8.8.8192.168.2.30x6dddNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:17.672297001 CEST8.8.8.8192.168.2.30xb620No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:27.589896917 CEST8.8.8.8192.168.2.30xec40No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:34.372350931 CEST8.8.8.8192.168.2.30x4a6aNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:40.186373949 CEST8.8.8.8192.168.2.30x18f3No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:47.115642071 CEST8.8.8.8192.168.2.30x8c6aNo error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)
                                  Jul 21, 2021 16:31:53.276655912 CEST8.8.8.8192.168.2.30x43f1No error (0)hncbeyghfsbvcuabgsbncvzgaioiuyegdbhabbbw.ydns.eu202.55.134.123A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: Contact00212399490.exe PID: 5560 Parent PID: 5616

                                  General

                                  Start time:16:29:45
                                  Start date:21/07/2021
                                  Path:C:\Users\user\Desktop\Contact00212399490.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\Contact00212399490.exe'
                                  Imagebase:0xe80000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.307046969.00000000047D6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: Contact00212399490.exe PID: 6288 Parent PID: 5560

                                  General

                                  Start time:16:30:25
                                  Start date:21/07/2021
                                  Path:C:\Users\user\Desktop\Contact00212399490.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x2e0000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  Analysis Process: Contact00212399490.exe PID: 6296 Parent PID: 5560

                                  General

                                  Start time:16:30:26
                                  Start date:21/07/2021
                                  Path:C:\Users\user\Desktop\Contact00212399490.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xb50000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.493564138.0000000004468000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.494730709.0000000005F20000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.481278156.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.494575561.0000000005C90000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.494575561.0000000005C90000.00000004.00000001.sdmp, Author: Florian Roth
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 6332 Parent PID: 6296

                                  General

                                  Start time:16:30:28
                                  Start date:21/07/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp203E.tmp'
                                  Imagebase:0xfc0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 6340 Parent PID: 6332

                                  General

                                  Start time:16:30:28
                                  Start date:21/07/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: schtasks.exe PID: 6384 Parent PID: 6296

                                  General

                                  Start time:16:30:29
                                  Start date:21/07/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp23F8.tmp'
                                  Imagebase:0xfc0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 6396 Parent PID: 6384

                                  General

                                  Start time:16:30:30
                                  Start date:21/07/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: Contact00212399490.exe PID: 6424 Parent PID: 528

                                  General

                                  Start time:16:30:30
                                  Start date:21/07/2021
                                  Path:C:\Users\user\Desktop\Contact00212399490.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\Contact00212399490.exe 0
                                  Imagebase:0x4e0000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.391430185.0000000003DA6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: dhcpmon.exe PID: 6584 Parent PID: 528

                                  General

                                  Start time:16:30:33
                                  Start date:21/07/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                  Imagebase:0x1f0000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.411512020.0000000003966000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: dhcpmon.exe PID: 6760 Parent PID: 3388

                                  General

                                  Start time:16:30:38
                                  Start date:21/07/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                  Imagebase:0xe0000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.413945103.0000000003A36000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: Contact00212399490.exe PID: 5276 Parent PID: 6424

                                  General

                                  Start time:16:31:06
                                  Start date:21/07/2021
                                  Path:C:\Users\user\Desktop\Contact00212399490.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x4f0000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.403561087.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.409908287.0000000002CF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000020.00000002.409994109.0000000003CF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: dhcpmon.exe PID: 6360 Parent PID: 6584

                                  General

                                  Start time:16:31:11
                                  Start date:21/07/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xdf0000
                                  File size:1249792 bytes
                                  MD5 hash:A6BD3DE048002BEE7A8D973C887227D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.422634506.0000000003701000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.417010887.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.422686382.0000000004701000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Disassembly

                                  Code Analysis

                                  Reset < >