Loading ...

Play interactive tourEdit tour

Windows Analysis Report WrNhr6yUD8.exe

Overview

General Information

Sample Name:WrNhr6yUD8.exe
Analysis ID:452096
MD5:fb64fc2471a48928b7989f7e959de261
SHA1:334f95083ee83d20255b87e0bfd4aae86a922d20
SHA256:cc536d630284e622821d1034fadec488cb35dc72bdfb75edbd184a638d052f98
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WrNhr6yUD8.exe (PID: 896 cmdline: 'C:\Users\user\Desktop\WrNhr6yUD8.exe' MD5: FB64FC2471A48928B7989F7E959DE261)
    • WrNhr6yUD8.exe (PID: 5916 cmdline: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe MD5: FB64FC2471A48928B7989F7E959DE261)
  • dhcpmon.exe (PID: 5660 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: FB64FC2471A48928B7989F7E959DE261)
    • dhcpmon.exe (PID: 612 cmdline: C:\Users\user\AppData\Local\Temp\dhcpmon.exe MD5: FB64FC2471A48928B7989F7E959DE261)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x8ba5:$x1: NanoCore.ClientPluginHost
  • 0x8bd2:$x2: IClientNetworkHost
0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x8ba5:$x2: NanoCore.ClientPluginHost
  • 0x9b74:$s2: FileCommand
  • 0xe576:$s4: PipeCreated
  • 0x8bbf:$s5: IClientLoggingHost
0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
Click to see the 46 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
14.2.WrNhr6yUD8.exe.74d0000.26.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
14.2.WrNhr6yUD8.exe.74d0000.26.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
14.2.WrNhr6yUD8.exe.44b9930.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1f1db:$x1: NanoCore.ClientPluginHost
  • 0x1f1f5:$x2: IClientNetworkHost
14.2.WrNhr6yUD8.exe.44b9930.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1f1db:$x2: NanoCore.ClientPluginHost
  • 0x22518:$s4: PipeCreated
  • 0x1f1c8:$s5: IClientLoggingHost
14.2.WrNhr6yUD8.exe.7590000.36.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
Click to see the 154 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted fileShow sources
Source: WrNhr6yUD8.exeVirustotal: Detection: 30%Perma Link
Source: WrNhr6yUD8.exeReversingLabs: Detection: 21%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4630889.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.463cabd.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.46510ea.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504364191.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeJoe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: WrNhr6yUD8.exeJoe Sandbox ML: detected
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpackAvira: Label: TR/NanoCore.fadte
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpackAvira: Label: TR/NanoCore.fadte
Source: 22.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: WrNhr6yUD8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: WrNhr6yUD8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49714 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49716 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49729 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49730 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49734 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 37.0.8.214:8234
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 37.0.8.214:8234
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: hhjhtggfr.duckdns.org
Source: global trafficTCP traffic: 192.168.2.5:49714 -> 37.0.8.214:8234
Source: unknownDNS traffic detected: queries for: hhjhtggfr.duckdns.org
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WrNhr6yUD8.exe, 00000000.00000003.238700309.00000000055FB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
Source: WrNhr6yUD8.exe, 00000000.00000003.238700309.00000000055FB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCd
Source: WrNhr6yUD8.exe, 00000000.00000003.238700309.00000000055FB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdDkR
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: WrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comf
Source: WrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comion
Source: WrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comldvo
Source: WrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm_
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: WrNhr6yUD8.exe, 00000000.00000003.234681411.00000000055F8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn7
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: WrNhr6yUD8.exe, 00000000.00000003.242861030.00000000055F5000.00000004.00000001.sdmp, WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: WrNhr6yUD8.exe, 00000000.00000003.241765573.00000000055FB000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: WrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comTF
Source: WrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
Source: WrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come-d
Source: WrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: WrNhr6yUD8.exe, 00000000.00000003.234769136.00000000055F8000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com:
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: WrNhr6yUD8.exe, 00000000.00000002.307451021.0000000000B40000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4630889.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.463cabd.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.46510ea.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504364191.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 14.2.WrNhr6yUD8.exe.74d0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.44b9930.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7590000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.3540f40.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.44be5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7480000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.2ee48d4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.2ee48d4.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.3503774.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.74b0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7510000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7540000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.74f0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7500000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.44b9930.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7540000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3149644.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7520000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.2ee48d4.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.2ee48d4.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7520000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.48126e6.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.463cabd.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7510000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.44c81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.6830000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7554c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.74e0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.6830000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.5a20000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.WrNhr6yUD8.exe.292485c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.WrNhr6yUD8.exe.292485c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.48042b6.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7550000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7480000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.74e0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.48042b6.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.74d0000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7590000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.7500000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.48126e6.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.4630889.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.755e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WrNhr6yUD8.exe.292485c.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.WrNhr6yUD8.exe.292485c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.7550000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.34f3d64.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.3503774.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.4630889.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.3540f40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.WrNhr6yUD8.exe.3540f40.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.463cabd.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.WrNhr6yUD8.exe.46510ea.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.409979115.0000000002E9D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.409979115.0000000002E9D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.507410107.0000000007510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.507284046.00000000074E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.507147677.00000000074B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.505956339.0000000005A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.504700403.000000000479F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.308575708.00000000028DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.308575708.00000000028DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.507370869.0000000007500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.507319723.00000000074F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.507514929.0000000007550000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_00B2C114
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_00B2E558
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_00B2E548
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_075A81D0
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_03389788
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0338F5F8
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_05966550
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596C4D8
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_05963E30
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596D0F0
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_05964A50
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596D428
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596D1AE
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_05964B08
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_065E8348
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_065E0040
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_065E8F60
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_065E9298
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02B7C114
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02B7E558
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02B7E548
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeCode function: 22_2_02ECE480
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeCode function: 22_2_02ECE471
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeCode function: 22_2_02ECBBD4
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeCode function: 22_2_056AF5F8
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeCode function: 22_2_056A9788
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeCode function: 22_2_056AA610
Source: WrNhr6yUD8.exeStatic PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: WrNhr6yUD8.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: dhcpmon.exe.14.drStatic PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: dhcpmon.exe.16.drStatic PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: WrNhr6yUD8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WrNhr6yUD8.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.14.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.16.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WrNhr6yUD8.exe, 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOlfmjpznqzbm.dll: vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 00000000.00000000.230145512.00000000003EC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezONE C.exe0 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 00000000.00000002.315692450.0000000006C60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 00000000.00000002.307451021.0000000000B40000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 00000000.00000003.302133602.0000000003D33000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNrsdulvhfajkvkrzy.dll" vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 00000000.00000002.308173245.00000000027A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.497751065.000000000106C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezONE C.exe0 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.505807875.0000000005930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.507665027.00000000075A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exeBinary or memory string: OriginalFilenamezONE C.exe0 vs WrNhr6yUD8.exe
Source: WrNhr6yUD8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 14.2.WrNhr6yUD8.exe.74d0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.74d0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.44b9930.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.44b9930.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7590000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7590000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.3540f40.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.3540f40.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.44be5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.44be5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7480000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7480000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.2ee48d4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.2ee48d4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.2ee48d4.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.3503774.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.3503774.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.74b0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.74b0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7510000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7510000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7540000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7540000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.74f0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.74f0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7500000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7500000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.44b9930.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.44b9930.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7540000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7540000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.dhcpmon.exe.3149644.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.3149644.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7520000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7520000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.2ee48d4.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.2ee48d4.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.2ee48d4.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7520000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7520000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.48126e6.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.48126e6.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.463cabd.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.463cabd.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7510000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7510000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.44c81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.44c81d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.6830000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.6830000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7554c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7554c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.74e0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.74e0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.6830000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.6830000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.5a20000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.5a20000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WrNhr6yUD8.exe.292485c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.WrNhr6yUD8.exe.292485c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WrNhr6yUD8.exe.292485c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.48042b6.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.48042b6.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7550000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7550000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7480000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7480000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.74e0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.74e0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.48042b6.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.48042b6.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.74d0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.74d0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7590000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7590000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.7500000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7500000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.48126e6.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.48126e6.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.47fb487.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.4630889.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.4630889.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.WrNhr6yUD8.exe.755e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.755e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WrNhr6yUD8.exe.292485c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.WrNhr6yUD8.exe.292485c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WrNhr6yUD8.exe.292485c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.7550000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.7550000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.34f3d64.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.3503774.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.4630889.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.3540f40.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.WrNhr6yUD8.exe.3540f40.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.463cabd.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.WrNhr6yUD8.exe.46510ea.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.409979115.0000000002E9D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.409979115.0000000002E9D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.507410107.0000000007510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507410107.0000000007510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.507284046.00000000074E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507284046.00000000074E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.507147677.00000000074B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507147677.00000000074B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.505956339.0000000005A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.505956339.0000000005A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.504700403.000000000479F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.308575708.00000000028DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.308575708.00000000028DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.507370869.0000000007500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507370869.0000000007500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.507319723.00000000074F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.507319723.00000000074F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.507514929.0000000007550000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: WrNhr6yUD8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WrNhr6yUD8.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.14.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.16.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: WrNhr6yUD8.exe, 00000000.00000003.237026321.00000000055F4000.00000004.00000001.sdmpBinary or memory string: DYu Type Library is a Trademark of JIYUKOBO Ltd. registered in Japan.slnt
Source: classification engineClassification label: mal100.troj.evad.winEXE@6/12@14/2
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WrNhr6yUD8.exe.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9}
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeFile created: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeJump to behavior
Source: WrNhr6yUD8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: WrNhr6yUD8.exeVirustotal: Detection: 30%
Source: WrNhr6yUD8.exeReversingLabs: Detection: 21%
Source: WrNhr6yUD8.exeString found in binary or memory: fCOcU5Rgqu27XnyItfqXjt6goYooRVKXd27V1Bki63j+h\7rQTRIwkSpUTNO5UoXhcnm4uG6VPloRXRGfROdM3jP+/Jg7zTnF/Pk6f4obYBF/VmiLjtOAPx86pn0xMvhz2jH3jrZI/ADd98Zq3Fh\7V0CZx9luDzwRxNciOU9t7wbiKFz0uHmouVkiWNyXLC0ekNtJee6q0U96jLOK7KveCp3OX0BU3oX+aIVwa5johciWTE39NXc2TmP4S\700fK9w8
Source: WrNhr6yUD8.exeString found in binary or memory: fCOcU5Rgqu27XnyItfqXjt6goYooRVKXd27V1Bki63j+h\7rQTRIwkSpUTNO5UoXhcnm4uG6VPloRXRGfROdM3jP+/Jg7zTnF/Pk6f4obYBF/VmiLjtOAPx86pn0xMvhz2jH3jrZI/ADd98Zq3Fh\7V0CZx9luDzwRxNciOU9t7wbiKFz0uHmouVkiWNyXLC0ekNtJee6q0U96jLOK7KveCp3OX0BU3oX+aIVwa5johciWTE39NXc2TmP4S\700fK9w8
Source: dhcpmon.exeString found in binary or memory: fCOcU5Rgqu27XnyItfqXjt6goYooRVKXd27V1Bki63j+h\7rQTRIwkSpUTNO5UoXhcnm4uG6VPloRXRGfROdM3jP+/Jg7zTnF/Pk6f4obYBF/VmiLjtOAPx86pn0xMvhz2jH3jrZI/ADd98Zq3Fh\7V0CZx9luDzwRxNciOU9t7wbiKFz0uHmouVkiWNyXLC0ekNtJee6q0U96jLOK7KveCp3OX0BU3oX+aIVwa5johciWTE39NXc2TmP4S\700fK9w8
Source: dhcpmon.exeString found in binary or memory: fCOcU5Rgqu27XnyItfqXjt6goYooRVKXd27V1Bki63j+h\7rQTRIwkSpUTNO5UoXhcnm4uG6VPloRXRGfROdM3jP+/Jg7zTnF/Pk6f4obYBF/VmiLjtOAPx86pn0xMvhz2jH3jrZI/ADd98Zq3Fh\7V0CZx9luDzwRxNciOU9t7wbiKFz0uHmouVkiWNyXLC0ekNtJee6q0U96jLOK7KveCp3OX0BU3oX+aIVwa5johciWTE39NXc2TmP4S\700fK9w8
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeFile read: C:\Users\user\Desktop\WrNhr6yUD8.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WrNhr6yUD8.exe 'C:\Users\user\Desktop\WrNhr6yUD8.exe'
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess created: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess created: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: WrNhr6yUD8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: WrNhr6yUD8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: WrNhr6yUD8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: WrNhr6yUD8.exe, Form1.cs.Net Code: LetDom System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: WrNhr6yUD8.exe, Form1.cs.Net Code: <LetDom>b__8_0 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: WrNhr6yUD8.exe.0.dr, Form1.cs.Net Code: LetDom System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: WrNhr6yUD8.exe.0.dr, Form1.cs.Net Code: <LetDom>b__8_0 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.14.dr, Form1.cs.Net Code: LetDom System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.14.dr, Form1.cs.Net Code: <LetDom>b__8_0 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.16.dr, Form1.cs.Net Code: LetDom System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.16.dr, Form1.cs.Net Code: <LetDom>b__8_0 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: WrNhr6yUD8.exeStatic PE information: 0xF8B1A194 [Tue Mar 21 13:26:44 2102 UTC]
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_0033982D pushad ; ret
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_00339019 push ebx; retf
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_0033AF5E push ebx; retf
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_0033B14E push es; retf
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_0033B185 push edi; retf
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_0033ADE6 push FFFFFFD1h; ret
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_0033AACC push esi; ret
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_00B2F910 push eax; iretd
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_075634B9 pushad ; iretd
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_075A4FCA push ds; ret
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeCode function: 0_2_075A34F8 push ebp; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_00FBADE6 push FFFFFFD1h; ret
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_00FBAACC push esi; ret
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_00FBB185 push edi; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_00FBAF5E push ebx; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_00FBB14E push es; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_00FB982D pushad ; ret
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_00FB9019 push ebx; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_033886F8 push C0335001h; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_03386A00 push esp; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_033869F8 pushad ; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596B15A push 0000007Fh; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596B3C1 push 8BB44589h; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596B330 push 8BBC4589h; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596B379 push 8BB84589h; retf
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeCode function: 14_2_0596B2E4 push 8BC04589h; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0082B185 push edi; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0082AACC push esi; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0082ADE6 push FFFFFFD1h; ret
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_00829019 push ebx; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0082982D pushad ; ret
Source: initial sampleStatic PE information: section name: .text entropy: 7.02528915193
Source: initial sampleStatic PE information: section name: .text entropy: 7.02528915193
Source: initial sampleStatic PE information: section name: .text entropy: 7.02528915193
Source: initial sampleStatic PE information: section name: .text entropy: 7.02528915193
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\dhcpmon.exeJump to dropped file
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeFile created: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeFile opened: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: WrNhr6yUD8.exe, 00000000.00000002.308173245.00000000027A1000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.409637733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWindow / User API: threadDelayed 4916
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWindow / User API: threadDelayed 3847
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWindow / User API: foregroundWindowGot 483
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWindow / User API: foregroundWindowGot 577
Source: C:\Users\user\Desktop\WrNhr6yUD8.exe TID: 1256Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe TID: 6124Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 400Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe TID: 4904Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeThread delayed: delay time: 922337203685477
Source: dhcpmon.exe, 00000010.00000002.409637733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: WrNhr6yUD8.exe, 0000000E.00000002.507665027.00000000075A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 00000010.00000002.409637733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: vmware
Source: dhcpmon.exeBinary or memory string: zZDcZaXf4YiyDJSFMlzLZl/qv94xm6cSNvO1+Y+cvoKNQGZZo4+8gBpwMH1MdF86zHj\7dQeaHfNJcHa70eGL8pxBP3dPj2Djk0WuhaDVr/HYjxYVppgmwzp9ZHv9wHgFsp0xgiqDyZFIb+eofTlYL0btsXmPtKp5msWggNG2U\7acvZVsBJHRtj7FfRMgqMz/dOMVOq5eaRZY7X1lloLC0SZa+hmE5DlwDRbPhKD8sMkFg5SR9zjj9Hr1R0gX8/VidY
Source: dhcpmon.exeBinary or memory string: Du0mtmm1svYuhxh8LEXWqjyl\7TvCtw1PGLBYGMfC4HvYUyBK9/GCUwqNgVvxdlmsRfau2V72xi+1oXShgfSF8gCsQ8F7Mpx5c9l3i8cmMiv9+quH9joW3Z/FHdirRF\7P1PDLQkdLhcpaRvtBl+WgIFUBQHN9s6euMiTsnGSF5S8Pj0mnJ9KYHlnr8WXAgpYUyLj4gSS/bujZM9NJ/AClwxPU3Zg7ZR5NU9rI\7y2rax6QgtyIWSeNkCCL0CdEwe4f0
Source: dhcpmon.exe, 00000010.00000002.409637733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
Source: WrNhr6yUD8.exe, 0000000E.00000002.507665027.00000000075A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WrNhr6yUD8.exe, 0000000E.00000002.507665027.00000000075A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WrNhr6yUD8.exe, 0000000E.00000002.507665027.00000000075A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 402000
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 420000
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 422000
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: E1A008
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeProcess created: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Source: WrNhr6yUD8.exe, 0000000E.00000002.504150068.0000000003AA0000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: WrNhr6yUD8.exe, 0000000E.00000002.499963740.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: WrNhr6yUD8.exe, 0000000E.00000002.504150068.0000000003AA0000.00000004.00000001.sdmpBinary or memory string: Program ManagerP0
Source: WrNhr6yUD8.exe, 0000000E.00000002.499963740.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Progman
Source: WrNhr6yUD8.exe, 0000000E.00000002.499963740.0000000001E80000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: WrNhr6yUD8.exe, 0000000E.00000002.501669485.0000000003679000.00000004.00000001.sdmpBinary or memory string: Program ManagerP
Source: WrNhr6yUD8.exe, 0000000E.00000002.506317866.000000000672B000.00000004.00000001.sdmpBinary or memory string: Program ManagerW
Source: WrNhr6yUD8.exe, 0000000E.00000002.499963740.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: WrNhr6yUD8.exe, 0000000E.00000002.499963740.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: WrNhr6yUD8.exe, 0000000E.00000002.501477249.0000000003651000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
Source: WrNhr6yUD8.exe, 0000000E.00000002.507942169.00000000077EB000.00000004.00000001.sdmpBinary or memory string: Program Manager x
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Users\user\Desktop\WrNhr6yUD8.exe VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeQueries volume information: C:\Users\user\AppData\Local\Temp\dhcpmon.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\WrNhr6yUD8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4630889.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.463cabd.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.46510ea.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504364191.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: WrNhr6yUD8.exe, 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: WrNhr6yUD8.exe, 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: WrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.451d051.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4518a28.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412ff3c.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c74629.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.4134565.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.5c70000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.412b106.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4504565.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.dhcpmon.exe.3f37128.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.4630889.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.463cabd.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.WrNhr6yUD8.exe.46510ea.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.WrNhr6yUD8.exe.38f6908.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504364191.0000000004501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection212Masquerading2Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452096 Sample: WrNhr6yUD8.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 36 hhjhtggfr.duckdns.org 2->36 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 9 other signatures 2->48 7 WrNhr6yUD8.exe 5 2->7         started        10 dhcpmon.exe 5 2->10         started        signatures3 process4 file5 20 C:\Users\user\AppData\...\WrNhr6yUD8.exe, PE32 7->20 dropped 22 C:\Users\...\WrNhr6yUD8.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\...\WrNhr6yUD8.exe.log, ASCII 7->24 dropped 13 WrNhr6yUD8.exe 1 12 7->13         started        26 C:\Users\user\AppData\Local\...\dhcpmon.exe, PE32 10->26 dropped 28 C:\Users\user\...\dhcpmon.exe:Zone.Identifier, ASCII 10->28 dropped 50 Writes to foreign memory regions 10->50 52 Injects a PE file into a foreign processes 10->52 18 dhcpmon.exe 2 10->18         started        signatures6 process7 dnsIp8 38 hhjhtggfr.duckdns.org 37.0.8.214, 49714, 49716, 49718 WKD-ASIE Netherlands 13->38 40 192.168.2.1 unknown unknown 13->40 30 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->30 dropped 32 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 13->32 dropped 34 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->34 dropped 54 Multi AV Scanner detection for dropped file 13->54 56 Machine Learning detection for dropped file 13->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->58 file9 signatures10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WrNhr6yUD8.exe30%VirustotalBrowse
WrNhr6yUD8.exe22%ReversingLabsWin32.Trojan.Pwsx
WrNhr6yUD8.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\dhcpmon.exe100%Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe100%Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe22%ReversingLabsWin32.Trojan.Pwsx
C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe22%ReversingLabsWin32.Trojan.Pwsx
C:\Users\user\AppData\Local\Temp\dhcpmon.exe22%ReversingLabsWin32.Trojan.Pwsx

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
14.2.WrNhr6yUD8.exe.4518a28.8.unpack100%AviraTR/NanoCore.fadteDownload File
14.2.WrNhr6yUD8.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
14.2.WrNhr6yUD8.exe.5c70000.20.unpack100%AviraTR/NanoCore.fadteDownload File
22.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.comm_0%Avira URL Cloudsafe
http://www.tiro.com:0%VirustotalBrowse
http://www.tiro.com:0%Avira URL Cloudsafe
http://www.sajatypeworks.comiv0%URL Reputationsafe
http://www.sajatypeworks.comiv0%URL Reputationsafe
http://www.sajatypeworks.comiv0%URL Reputationsafe
http://www.sajatypeworks.comiv0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.sajatypeworks.comTF0%Avira URL Cloudsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.comion0%URL Reputationsafe
http://www.fontbureau.comion0%URL Reputationsafe
http://www.fontbureau.comion0%URL Reputationsafe
http://www.carterandcone.comCd0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.com0%URL Reputationsafe
http://www.carterandcone.com0%URL Reputationsafe
http://www.carterandcone.com0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.carterandcone.comdDkR0%Avira URL Cloudsafe
http://www.fontbureau.comf0%URL Reputationsafe
http://www.fontbureau.comf0%URL Reputationsafe
http://www.fontbureau.comf0%URL Reputationsafe
http://www.founder.com.cn/cn70%Avira URL Cloudsafe
http://www.monotype.0%URL Reputationsafe
http://www.monotype.0%URL Reputationsafe
http://www.monotype.0%URL Reputationsafe
http://www.sajatypeworks.come-d0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.fontbureau.comldvo0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sajatypeworks.come0%URL Reputationsafe
http://www.sajatypeworks.come0%URL Reputationsafe
http://www.sajatypeworks.come0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
hhjhtggfr.duckdns.org
37.0.8.214
truefalse
    high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.fontbureau.comm_WrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpfalse
    • Avira URL Cloud: safe
    low
    http://www.tiro.com:WrNhr6yUD8.exe, 00000000.00000003.234769136.00000000055F8000.00000004.00000001.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://www.apache.org/licenses/LICENSE-2.0WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
      high
      http://www.fontbureau.comWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
        high
        http://www.fontbureau.com/designersGWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
          high
          http://www.sajatypeworks.comivWrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.fontbureau.com/designers/?WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
            high
            http://www.founder.com.cn/cn/bTheWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.sajatypeworks.comTFWrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.fontbureau.com/designers?WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
              high
              http://www.tiro.comdhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.fontbureau.comionWrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersdhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                high
                http://www.carterandcone.comCdWrNhr6yUD8.exe, 00000000.00000003.238700309.00000000055FB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.goodfont.co.krWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://google.comWrNhr6yUD8.exe, 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmpfalse
                  high
                  http://www.carterandcone.comWrNhr6yUD8.exe, 00000000.00000003.238700309.00000000055FB000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.carterandcone.comlWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.sajatypeworks.comWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.typography.netDWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                    high
                    http://www.founder.com.cn/cn/cTheWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/staff/dennis.htmWrNhr6yUD8.exe, 00000000.00000003.242861030.00000000055F5000.00000004.00000001.sdmp, WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://fontfabrik.comWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cnWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.carterandcone.comdDkRWrNhr6yUD8.exe, 00000000.00000003.238700309.00000000055FB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.com/designers/frere-jones.htmlWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.comfWrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cn7WrNhr6yUD8.exe, 00000000.00000003.234681411.00000000055F8000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.monotype.WrNhr6yUD8.exe, 00000000.00000003.241765573.00000000055FB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.sajatypeworks.come-dWrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.galapagosdesign.com/DPleaseWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers8WrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comldvoWrNhr6yUD8.exe, 00000000.00000002.307813804.0000000000E77000.00000004.00000040.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fonts.comWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                          high
                          http://www.sandoll.co.krWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.urwpp.deDPleaseWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.zhongyicts.com.cnWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.sajatypeworks.comeWrNhr6yUD8.exe, 00000000.00000003.233009789.000000000560B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.sakkal.comWrNhr6yUD8.exe, 00000000.00000002.314839880.0000000006882000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.413417839.0000000005D20000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          37.0.8.214
                          hhjhtggfr.duckdns.orgNetherlands
                          198301WKD-ASIEfalse

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:452096
                          Start date:21.07.2021
                          Start time:20:25:39
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 13m 36s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:WrNhr6yUD8.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:26
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@6/12@14/2
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 0% (good quality ratio 0%)
                          • Quality average: 60%
                          • Quality standard deviation: 0%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                          • TCP Packets have been reduced to 100
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 13.64.90.137, 204.79.197.200, 13.107.21.200, 23.54.113.53, 52.147.198.201, 52.255.188.83, 104.43.139.144, 95.100.54.203, 20.82.210.154, 23.0.174.200, 23.0.174.185, 40.112.88.60, 20.50.102.62, 23.10.249.43, 23.10.249.26
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          20:27:10API Interceptor727x Sleep call for process: WrNhr6yUD8.exe modified
                          20:27:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Process:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):888320
                          Entropy (8bit):7.140749794967654
                          Encrypted:false
                          SSDEEP:24576:6ULRbkn8PjhH42j74d8BAk1t1L+PRUyplVnv:6atkAY2YapQUypbn
                          MD5:FB64FC2471A48928B7989F7E959DE261
                          SHA1:334F95083EE83D20255B87E0BFD4AAE86A922D20
                          SHA-256:CC536D630284E622821D1034FADEC488CB35DC72BDFB75EDBD184A638D052F98
                          SHA-512:C96A7EF0E0691096E7CD8C841696A4BE951F4B1621C4AA89B39D98E24E9310464558C66EBA3F67600E169DA46D9936D670A26802B2F5550A4804552EF9FC7916
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 22%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............j.... ........@.. ....................................@.....................................O.......P............................................................................ ............... ..H............text...p.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B................L.......H........&..L...........<@...p..........................................b.r...p}.....(.....(....*....0..v..............s....s....(....+. ....(.....{......3...}...........s....s....(....+. ....(.....{......3..{....o.....{....o....*...0..g.......+Z. b....&....s..........io.....{....(.....o....o....o......&..( ... ....(......{.....X}.....{......3.*.........9<.......0..1........r1..p(!...("......&.r?..p~#...o$......(".......*....................*..(....*^(%..........s&...o'...*..
                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                          Process:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:unknown
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WrNhr6yUD8.exe.log
                          Process:C:\Users\user\Desktop\WrNhr6yUD8.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1119
                          Entropy (8bit):5.356708753875314
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                          Malicious:true
                          Reputation:unknown
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1119
                          Entropy (8bit):5.356708753875314
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                          Malicious:false
                          Reputation:unknown
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                          C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          Process:C:\Users\user\Desktop\WrNhr6yUD8.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):888320
                          Entropy (8bit):7.140749794967654
                          Encrypted:false
                          SSDEEP:24576:6ULRbkn8PjhH42j74d8BAk1t1L+PRUyplVnv:6atkAY2YapQUypbn
                          MD5:FB64FC2471A48928B7989F7E959DE261
                          SHA1:334F95083EE83D20255B87E0BFD4AAE86A922D20
                          SHA-256:CC536D630284E622821D1034FADEC488CB35DC72BDFB75EDBD184A638D052F98
                          SHA-512:C96A7EF0E0691096E7CD8C841696A4BE951F4B1621C4AA89B39D98E24E9310464558C66EBA3F67600E169DA46D9936D670A26802B2F5550A4804552EF9FC7916
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 22%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............j.... ........@.. ....................................@.....................................O.......P............................................................................ ............... ..H............text...p.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B................L.......H........&..L...........<@...p..........................................b.r...p}.....(.....(....*....0..v..............s....s....(....+. ....(.....{......3...}...........s....s....(....+. ....(.....{......3..{....o.....{....o....*...0..g.......+Z. b....&....s..........io.....{....(.....o....o....o......&..( ... ....(......{.....X}.....{......3.*.........9<.......0..1........r1..p(!...("......&.r?..p~#...o$......(".......*....................*..(....*^(%..........s&...o'...*..
                          C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\WrNhr6yUD8.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:unknown
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Local\Temp\dhcpmon.exe
                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):888320
                          Entropy (8bit):7.140749794967654
                          Encrypted:false
                          SSDEEP:24576:6ULRbkn8PjhH42j74d8BAk1t1L+PRUyplVnv:6atkAY2YapQUypbn
                          MD5:FB64FC2471A48928B7989F7E959DE261
                          SHA1:334F95083EE83D20255B87E0BFD4AAE86A922D20
                          SHA-256:CC536D630284E622821D1034FADEC488CB35DC72BDFB75EDBD184A638D052F98
                          SHA-512:C96A7EF0E0691096E7CD8C841696A4BE951F4B1621C4AA89B39D98E24E9310464558C66EBA3F67600E169DA46D9936D670A26802B2F5550A4804552EF9FC7916
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 22%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............j.... ........@.. ....................................@.....................................O.......P............................................................................ ............... ..H............text...p.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B................L.......H........&..L...........<@...p..........................................b.r...p}.....(.....(....*....0..v..............s....s....(....+. ....(.....{......3...}...........s....s....(....+. ....(.....{......3..{....o.....{....o....*...0..g.......+Z. b....&....s..........io.....{....(.....o....o....o......&..( ... ....(......{.....X}.....{......3.*.........9<.......0..1........r1..p(!...("......&.r?..p~#...o$......(".......*....................*..(....*^(%..........s&...o'...*..
                          C:\Users\user\AppData\Local\Temp\dhcpmon.exe:Zone.Identifier
                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:unknown
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                          Process:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2088
                          Entropy (8bit):7.024371743172393
                          Encrypted:false
                          SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                          MD5:0D6805D12813A857D50D42D6EE2CCAB0
                          SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                          SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                          SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                          Malicious:false
                          Reputation:unknown
                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                          Process:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          File Type:Non-ISO extended-ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):8
                          Entropy (8bit):2.75
                          Encrypted:false
                          SSDEEP:3:dTzz8:m
                          MD5:B78ADC14B1CC69A8126D1F62947CCF3A
                          SHA1:D4017FC3B5F7A40FDE16148CCA2902D48FB5D659
                          SHA-256:C3527D0EDD6F06CB1EABFD50BA93A43EE03D1273E4CFFD0A7476FC1EF59C239B
                          SHA-512:A1880116A392AA5A6BA8AC1F5CEE22AC2AC60268F8EFF83466F594EA92FF773BA6C410C2B5C776B7D5C515321A8DEE7DC74403AE72436F224A20BAB8DB9AA328
                          Malicious:true
                          Reputation:unknown
                          Preview: .....L.H
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                          Process:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          File Type:data
                          Category:modified
                          Size (bytes):40
                          Entropy (8bit):5.153055907333276
                          Encrypted:false
                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                          MD5:4E5E92E2369688041CC82EF9650EDED2
                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                          Malicious:false
                          Reputation:unknown
                          Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                          Process:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):327432
                          Entropy (8bit):7.99938831605763
                          Encrypted:true
                          SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                          MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                          SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                          SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                          SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                          Malicious:false
                          Reputation:unknown
                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.140749794967654
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:WrNhr6yUD8.exe
                          File size:888320
                          MD5:fb64fc2471a48928b7989f7e959de261
                          SHA1:334f95083ee83d20255b87e0bfd4aae86a922d20
                          SHA256:cc536d630284e622821d1034fadec488cb35dc72bdfb75edbd184a638d052f98
                          SHA512:c96a7ef0e0691096e7cd8c841696a4be951f4b1621c4aa89b39d98e24e9310464558c66eba3f67600e169da46d9936d670a26802b2f5550a4804552ef9fc7916
                          SSDEEP:24576:6ULRbkn8PjhH42j74d8BAk1t1L+PRUyplVnv:6atkAY2YapQUypbn
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............j.... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:64e4cc8df0f0f0b0

                          Static PE Info

                          General

                          Entrypoint:0x4cb16a
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0xF8B1A194 [Tue Mar 21 13:26:44 2102 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xcb1180x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000xf750.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0xcb0fc0x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xc91700xc9200False0.785982898928data7.02528915193IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0xcc0000xf7500xf800False0.812531502016data7.51816910204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xdc0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0xcc1600x528GLS_BINARY_LSB_FIRST
                          RT_ICON0xcc6980x1428dBase IV DBT of @.DBF, block length 5120, next free block index 40, next free block 0, next used block 0
                          RT_ICON0xcdad00x2d28data
                          RT_ICON0xd08080xa9cbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_GROUP_ICON0xdb1e40x3edata
                          RT_VERSION0xdb2340x31aARC archive data, packed
                          RT_MANIFEST0xdb5600x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightMozilla
                          Assembly Version18.5.0.0
                          InternalNamezONE C.exe
                          FileVersion18.5.0.0
                          CompanyNameMozilla
                          LegalTrademarks
                          CommentsFirefox
                          ProductNameFirefox
                          ProductVersion18.5.0.0
                          FileDescriptionFirefox
                          OriginalFilenamezONE C.exe

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/21/21-20:27:13.807230TCP2025019ET TROJAN Possible NanoCore C2 60B497148234192.168.2.537.0.8.214
                          07/21/21-20:27:21.758849TCP2025019ET TROJAN Possible NanoCore C2 60B497168234192.168.2.537.0.8.214
                          07/21/21-20:27:28.036498TCP2025019ET TROJAN Possible NanoCore C2 60B497188234192.168.2.537.0.8.214
                          07/21/21-20:27:35.087761TCP2025019ET TROJAN Possible NanoCore C2 60B497218234192.168.2.537.0.8.214
                          07/21/21-20:27:43.150923TCP2025019ET TROJAN Possible NanoCore C2 60B497278234192.168.2.537.0.8.214
                          07/21/21-20:27:49.130581TCP2025019ET TROJAN Possible NanoCore C2 60B497288234192.168.2.537.0.8.214
                          07/21/21-20:27:54.695591TCP2025019ET TROJAN Possible NanoCore C2 60B497298234192.168.2.537.0.8.214
                          07/21/21-20:28:01.673401TCP2025019ET TROJAN Possible NanoCore C2 60B497308234192.168.2.537.0.8.214
                          07/21/21-20:28:07.767664TCP2025019ET TROJAN Possible NanoCore C2 60B497318234192.168.2.537.0.8.214
                          07/21/21-20:28:13.611239TCP2025019ET TROJAN Possible NanoCore C2 60B497348234192.168.2.537.0.8.214
                          07/21/21-20:28:21.114575TCP2025019ET TROJAN Possible NanoCore C2 60B497358234192.168.2.537.0.8.214
                          07/21/21-20:28:28.020886TCP2025019ET TROJAN Possible NanoCore C2 60B497368234192.168.2.537.0.8.214
                          07/21/21-20:28:34.420594TCP2025019ET TROJAN Possible NanoCore C2 60B497378234192.168.2.537.0.8.214
                          07/21/21-20:28:40.378034TCP2025019ET TROJAN Possible NanoCore C2 60B497388234192.168.2.537.0.8.214

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 21, 2021 20:27:13.292196035 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:13.318258047 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:13.318444014 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:13.807229996 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:13.869301081 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:13.890949011 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:13.923830032 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:13.966023922 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.048934937 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.112545967 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.112581968 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.112689972 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.112714052 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.112736940 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.112813950 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.141444921 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141510963 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141557932 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141613007 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141640902 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.141669989 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.141670942 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141715050 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141752005 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141789913 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.141804934 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.141838074 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.167134047 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167195082 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167237997 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167268038 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.167280912 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167320967 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167351961 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.167359114 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167398930 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167438984 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167453051 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.167489052 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167491913 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.167534113 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167574883 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167587042 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.167613983 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167658091 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167714119 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167714119 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.167758942 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167798042 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.167809963 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.168148041 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.172801018 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193200111 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193260908 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193298101 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193303108 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193325996 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193355083 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193372965 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193394899 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193394899 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193444967 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193489075 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193522930 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193527937 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193562984 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193567991 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193598986 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193664074 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193665028 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193706989 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193732977 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193775892 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193783045 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193897963 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193945885 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.193955898 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.193988085 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194010973 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194015026 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194056034 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194096088 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194117069 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194144964 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194154024 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194190979 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194228888 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194247961 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194267988 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194292068 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194338083 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194366932 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194376945 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194403887 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194413900 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194427967 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194462061 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194475889 CEST497148234192.168.2.537.0.8.214
                          Jul 21, 2021 20:27:14.194504976 CEST82344971437.0.8.214192.168.2.5
                          Jul 21, 2021 20:27:14.194513083 CEST497148234192.168.2.537.0.8.214

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 21, 2021 20:26:25.658262014 CEST6206053192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:25.685357094 CEST53620608.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:26.626728058 CEST6180553192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:26.654664040 CEST53618058.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:26.741439104 CEST5479553192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:26.754400969 CEST53547958.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:27.342895031 CEST4955753192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:27.372598886 CEST53495578.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:27.826487064 CEST6173353192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:27.843700886 CEST53617338.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:29.947062016 CEST6544753192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:29.961421967 CEST53654478.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:30.744959116 CEST5244153192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:30.758378029 CEST53524418.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:31.767246962 CEST6217653192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:31.781042099 CEST53621768.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:32.697611094 CEST5959653192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:32.710829020 CEST53595968.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:33.506900072 CEST6529653192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:33.519692898 CEST53652968.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:35.594816923 CEST6318353192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:35.608360052 CEST53631838.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:36.601881027 CEST6015153192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:36.615845919 CEST53601518.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:48.854845047 CEST5696953192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:48.887109041 CEST53569698.8.8.8192.168.2.5
                          Jul 21, 2021 20:26:58.847014904 CEST5516153192.168.2.58.8.8.8
                          Jul 21, 2021 20:26:58.878041983 CEST53551618.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:12.864238024 CEST5475753192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:12.988148928 CEST53547578.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:19.828665018 CEST4999253192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:19.847482920 CEST53499928.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:21.396034956 CEST6007553192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:21.521564960 CEST53600758.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:22.136451006 CEST5501653192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:22.172223091 CEST53550168.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:27.831329107 CEST6434553192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:27.959212065 CEST53643458.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:33.199191093 CEST5712853192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:33.226238012 CEST53571288.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:34.900463104 CEST5479153192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:35.025049925 CEST53547918.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:39.020888090 CEST5046353192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:39.039307117 CEST53504638.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:43.028851032 CEST5039453192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:43.043302059 CEST53503948.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:49.074486017 CEST5853053192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:49.087997913 CEST53585308.8.8.8192.168.2.5
                          Jul 21, 2021 20:27:54.649091959 CEST5381353192.168.2.58.8.8.8
                          Jul 21, 2021 20:27:54.661930084 CEST53538138.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:01.630784988 CEST6373253192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:01.644711971 CEST53637328.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:07.725210905 CEST5734453192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:07.739787102 CEST53573448.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:07.768177986 CEST5445053192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:07.781698942 CEST53544508.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:09.951781988 CEST5926153192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:09.965390921 CEST53592618.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:12.748063087 CEST5715153192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:12.873614073 CEST53571518.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:21.065098047 CEST5941353192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:21.081299067 CEST53594138.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:27.930370092 CEST6051653192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:27.946304083 CEST53605168.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:34.372925997 CEST5164953192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:34.385742903 CEST53516498.8.8.8192.168.2.5
                          Jul 21, 2021 20:28:40.335563898 CEST6508653192.168.2.58.8.8.8
                          Jul 21, 2021 20:28:40.350263119 CEST53650868.8.8.8192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Jul 21, 2021 20:27:12.864238024 CEST192.168.2.58.8.8.80x7c8eStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:21.396034956 CEST192.168.2.58.8.8.80x9c2dStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:27.831329107 CEST192.168.2.58.8.8.80x2c79Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:34.900463104 CEST192.168.2.58.8.8.80x51faStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:43.028851032 CEST192.168.2.58.8.8.80xaf47Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:49.074486017 CEST192.168.2.58.8.8.80x1510Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:54.649091959 CEST192.168.2.58.8.8.80x9572Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:01.630784988 CEST192.168.2.58.8.8.80x8c91Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:07.725210905 CEST192.168.2.58.8.8.80x8334Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:12.748063087 CEST192.168.2.58.8.8.80x7148Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:21.065098047 CEST192.168.2.58.8.8.80x71e3Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:27.930370092 CEST192.168.2.58.8.8.80x47deStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:34.372925997 CEST192.168.2.58.8.8.80xb3b1Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:40.335563898 CEST192.168.2.58.8.8.80xf1eaStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Jul 21, 2021 20:27:12.988148928 CEST8.8.8.8192.168.2.50x7c8eNo error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:21.521564960 CEST8.8.8.8192.168.2.50x9c2dNo error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:27.959212065 CEST8.8.8.8192.168.2.50x2c79No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:35.025049925 CEST8.8.8.8192.168.2.50x51faNo error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:43.043302059 CEST8.8.8.8192.168.2.50xaf47No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:49.087997913 CEST8.8.8.8192.168.2.50x1510No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:27:54.661930084 CEST8.8.8.8192.168.2.50x9572No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:01.644711971 CEST8.8.8.8192.168.2.50x8c91No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:07.739787102 CEST8.8.8.8192.168.2.50x8334No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:12.873614073 CEST8.8.8.8192.168.2.50x7148No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:21.081299067 CEST8.8.8.8192.168.2.50x71e3No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:27.946304083 CEST8.8.8.8192.168.2.50x47deNo error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:34.385742903 CEST8.8.8.8192.168.2.50xb3b1No error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)
                          Jul 21, 2021 20:28:40.350263119 CEST8.8.8.8192.168.2.50xf1eaNo error (0)hhjhtggfr.duckdns.org37.0.8.214A (IP address)IN (0x0001)

                          Code Manipulations

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Start time:20:26:31
                          Start date:21/07/2021
                          Path:C:\Users\user\Desktop\WrNhr6yUD8.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\WrNhr6yUD8.exe'
                          Imagebase:0x320000
                          File size:888320 bytes
                          MD5 hash:FB64FC2471A48928B7989F7E959DE261
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.308987203.00000000038F6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.308863362.0000000003857000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.308575708.00000000028DA000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.308575708.00000000028DA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          General

                          Start time:20:27:06
                          Start date:21/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\WrNhr6yUD8.exe
                          Imagebase:0xfa0000
                          File size:888320 bytes
                          MD5 hash:FB64FC2471A48928B7989F7E959DE261
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507240741.00000000074D0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507076827.0000000007480000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507595922.0000000007590000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507410107.0000000007510000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507410107.0000000007510000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.504364191.0000000004501000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507284046.00000000074E0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507284046.00000000074E0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.496594455.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507147677.00000000074B0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507147677.00000000074B0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.504446438.0000000004581000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.505956339.0000000005A20000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.505956339.0000000005A20000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.504700403.000000000479F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507370869.0000000007500000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507370869.0000000007500000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.500382926.00000000034B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507319723.00000000074F0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.507319723.00000000074F0000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.506071191.0000000005C70000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.507514929.0000000007550000.00000004.00000001.sdmp, Author: Florian Roth
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 22%, ReversingLabs
                          Reputation:low

                          General

                          Start time:20:27:21
                          Start date:21/07/2021
                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                          Imagebase:0x810000
                          File size:888320 bytes
                          MD5 hash:FB64FC2471A48928B7989F7E959DE261
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.409979115.0000000002E9D000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.409979115.0000000002E9D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.410463215.0000000003E98000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 22%, ReversingLabs
                          Reputation:low

                          General

                          Start time:20:27:52
                          Start date:21/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\dhcpmon.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\dhcpmon.exe
                          Imagebase:0xc80000
                          File size:888320 bytes
                          MD5 hash:FB64FC2471A48928B7989F7E959DE261
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.424925007.00000000040E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.424776175.00000000030E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.422787857.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 22%, ReversingLabs
                          Reputation:low

                          Disassembly

                          Code Analysis

                          Reset < >