Loading ...

Play interactive tourEdit tour

Windows Analysis Report gXcRJ8123G.exe

Overview

General Information

Sample Name:gXcRJ8123G.exe
Analysis ID:452188
MD5:767e1c497ff0d617de66c2d8ece44c49
SHA1:118e1e764cd05b98c631bb9a5687acae94f208e1
SHA256:f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gXcRJ8123G.exe (PID: 1700 cmdline: 'C:\Users\user\Desktop\gXcRJ8123G.exe' MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
    • schtasks.exe (PID: 6092 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • gXcRJ8123G.exe (PID: 1872 cmdline: C:\Users\user\Desktop\gXcRJ8123G.exe 0 MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
  • dhcpmon.exe (PID: 2944 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
  • dhcpmon.exe (PID: 5700 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 767E1C497FF0D617DE66C2D8ECE44C49)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "03e670ce-e449-4fbc-8c90-b68dc609", "Group": "Scammer", "Domain1": "188.141.118.122", "Domain2": "188.141.118.122", "Port": 6666, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
gXcRJ8123G.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
gXcRJ8123G.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
gXcRJ8123G.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    gXcRJ8123G.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0x23ba3:$a: NanoCore
          • 0x23bfc:$a: NanoCore
          • 0x23c39:$a: NanoCore
          • 0x23cb2:$a: NanoCore
          • 0x23c05:$b: ClientPlugin
          • 0x23c42:$b: ClientPlugin
          • 0x24540:$b: ClientPlugin
          • 0x2454d:$b: ClientPlugin
          • 0x1b919:$e: KeepAlive
          • 0x2408d:$g: LogClientMessage
          • 0x2400d:$i: get_Connected
          • 0x15bd5:$j: #=q
          • 0x15c05:$j: #=q
          • 0x15c41:$j: #=q
          • 0x15c69:$j: #=q
          • 0x15c99:$j: #=q
          • 0x15cc9:$j: #=q
          • 0x15cf9:$j: #=q
          • 0x15d29:$j: #=q
          • 0x15d45:$j: #=q
          • 0x15d75:$j: #=q
          Click to see the 41 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.3.gXcRJ8123G.exe.420dc45.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x605:$x1: NanoCore.ClientPluginHost
          • 0x3bd6:$x1: NanoCore.ClientPluginHost
          • 0x63e:$x2: IClientNetworkHost
          0.3.gXcRJ8123G.exe.420dc45.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x605:$x2: NanoCore.ClientPluginHost
          • 0x3bd6:$x2: NanoCore.ClientPluginHost
          • 0x720:$s4: PipeCreated
          • 0x3cb4:$s4: PipeCreated
          • 0x61f:$s5: IClientLoggingHost
          • 0x3bf0:$s5: IClientLoggingHost
          5.2.gXcRJ8123G.exe.36930ed.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xb184:$x1: NanoCore.ClientPluginHost
          • 0x24170:$x1: NanoCore.ClientPluginHost
          • 0xb1b1:$x2: IClientNetworkHost
          • 0x2419d:$x2: IClientNetworkHost
          5.2.gXcRJ8123G.exe.36930ed.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xb184:$x2: NanoCore.ClientPluginHost
          • 0x24170:$x2: NanoCore.ClientPluginHost
          • 0xc25f:$s4: PipeCreated
          • 0x2524b:$s4: PipeCreated
          • 0xb19e:$s5: IClientLoggingHost
          • 0x2418a:$s5: IClientLoggingHost
          5.2.gXcRJ8123G.exe.36930ed.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            Click to see the 75 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: gXcRJ8123G.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Found malware configurationShow sources
            Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "03e670ce-e449-4fbc-8c90-b68dc609", "Group": "Scammer", "Domain1": "188.141.118.122", "Domain2": "188.141.118.122", "Port": 6666, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: 188.141.118.122Virustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 84%Perma Link
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
            Multi AV Scanner detection for submitted fileShow sources
            Source: gXcRJ8123G.exeVirustotal: Detection: 84%Perma Link
            Source: gXcRJ8123G.exeReversingLabs: Detection: 100%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: gXcRJ8123G.exe, type: SAMPLE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Machine Learning detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: gXcRJ8123G.exeJoe Sandbox ML: detected
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 7.2.dhcpmon.exe.780000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 6.2.dhcpmon.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 6.0.dhcpmon.exe.390000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 7.0.dhcpmon.exe.780000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: gXcRJ8123G.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: 188.141.118.122
            Source: global trafficTCP traffic: 192.168.2.6:49718 -> 188.141.118.122:6666
            Source: Joe Sandbox ViewASN Name: LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: unknownTCP traffic detected without corresponding DNS query: 188.141.118.122
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: http://google.com
            Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: gXcRJ8123G.exe, type: SAMPLE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: gXcRJ8123G.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: gXcRJ8123G.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.3.gXcRJ8123G.exe.420dc45.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.2.dhcpmon.exe.29a3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.3.gXcRJ8123G.exe.41f3bee.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 7.2.dhcpmon.exe.2e93dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.3.gXcRJ8123G.exe.4208219.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.3.gXcRJ8123G.exe.420dc45.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.3.gXcRJ8123G.exe.41f3bee.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeCode function: 5_2_0006524A
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeCode function: 5_2_048323A0
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeCode function: 5_2_04832FA8
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeCode function: 5_2_04833850
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeCode function: 5_2_0483306F
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_0039524A
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_04B82FA8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_04B823A0
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_04B83850
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 6_2_04B8306F
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0078524A
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_04F723A0
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_04F72FA8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_04F73850
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_04F7306F
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000005.00000002.346847668.0000000004950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exe, 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs gXcRJ8123G.exe
            Source: gXcRJ8123G.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: gXcRJ8123G.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: gXcRJ8123G.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: gXcRJ8123G.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.3.gXcRJ8123G.exe.420dc45.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.3.gXcRJ8123G.exe.420dc45.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.2.dhcpmon.exe.29a3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.dhcpmon.exe.29a3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.3.gXcRJ8123G.exe.41f3bee.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.3.gXcRJ8123G.exe.41f3bee.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 7.2.dhcpmon.exe.2e93dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.2e93dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.3.gXcRJ8123G.exe.4208219.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.3.gXcRJ8123G.exe.420dc45.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.3.gXcRJ8123G.exe.41f3bee.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: gXcRJ8123G.exeStatic PE information: Section: .rsrc ZLIB complexity 1.00026633523
            Source: dhcpmon.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.00026633523
            Source: gXcRJ8123G.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: gXcRJ8123G.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/12@0/1
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{03e670ce-e449-4fbc-8c90-b68dc609b5fe}
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_01
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile created: C:\Users\user\AppData\Local\Temp\tmp28BF.tmpJump to behavior
            Source: gXcRJ8123G.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: gXcRJ8123G.exeVirustotal: Detection: 84%
            Source: gXcRJ8123G.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile read: C:\Users\user\Desktop\gXcRJ8123G.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\gXcRJ8123G.exe 'C:\Users\user\Desktop\gXcRJ8123G.exe'
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\gXcRJ8123G.exe C:\Users\user\Desktop\gXcRJ8123G.exe 0
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: gXcRJ8123G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: gXcRJ8123G.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: gXcRJ8123G.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: gXcRJ8123G.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeFile opened: C:\Users\user\Desktop\gXcRJ8123G.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWindow / User API: foregroundWindowGot 587
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWindow / User API: foregroundWindowGot 632
            Source: C:\Users\user\Desktop\gXcRJ8123G.exe TID: 1296Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\gXcRJ8123G.exe TID: 2680Thread sleep time: -420000s >= -30000s
            Source: C:\Users\user\Desktop\gXcRJ8123G.exe TID: 2924Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 400Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2272Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'
            Source: gXcRJ8123G.exe, 00000000.00000003.359467385.000000000626D000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\gXcRJ8123G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: gXcRJ8123G.exe, type: SAMPLE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
            Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
            Source: gXcRJ8123G.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
            Source: dhcpmon.exe, 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Source: gXcRJ8123G.exeString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: gXcRJ8123G.exe, type: SAMPLE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection12Masquerading2Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 452188 Sample: gXcRJ8123G.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 11 other signatures 2->46 7 gXcRJ8123G.exe 1 18 2->7         started        12 dhcpmon.exe 3 2->12         started        14 gXcRJ8123G.exe 3 2->14         started        16 dhcpmon.exe 2 2->16         started        process3 dnsIp4 38 188.141.118.122, 49718, 49722, 49725 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding Ireland 7->38 26 C:\Program Files (x86)\...\dhcpmon.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmp28BF.tmp, XML 7->30 dropped 32 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 7->32 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        34 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 12->34 dropped 36 C:\Users\user\AppData\...\gXcRJ8123G.exe.log, ASCII 14->36 dropped file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            gXcRJ8123G.exe84%VirustotalBrowse
            gXcRJ8123G.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
            gXcRJ8123G.exe100%AviraTR/Dropper.MSIL.Gen7
            gXcRJ8123G.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe84%VirustotalBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.0.gXcRJ8123G.exe.60000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            7.2.dhcpmon.exe.780000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            5.2.gXcRJ8123G.exe.60000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            6.2.dhcpmon.exe.390000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            0.0.gXcRJ8123G.exe.640000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            6.0.dhcpmon.exe.390000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
            7.0.dhcpmon.exe.780000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            188.141.118.1226%VirustotalBrowse
            188.141.118.1220%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            188.141.118.122true
            • 6%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://google.comgXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmpfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              188.141.118.122
              unknownIreland
              6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingtrue

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:452188
              Start date:21.07.2021
              Start time:23:02:13
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 35s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:gXcRJ8123G.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:23
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@10/12@0/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • TCP Packets have been reduced to 100
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              23:03:05Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\gXcRJ8123G.exe" s>$(Arg0)
              23:03:05Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
              23:03:05API Interceptor1032x Sleep call for process: gXcRJ8123G.exe modified
              23:03:07AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingxjYvqOne1tGet hashmaliciousBrowse
              • 31.5.149.216
              iUmNR6tkEdGet hashmaliciousBrowse
              • 178.202.206.19
              eAtDhymLzpGet hashmaliciousBrowse
              • 213.93.27.100
              ehn0f1d63MGet hashmaliciousBrowse
              • 213.126.201.232
              zhPAQB7FPVGet hashmaliciousBrowse
              • 145.252.248.205
              wy2BysBF1UGet hashmaliciousBrowse
              • 86.49.148.244
              jhUxzb7jPWGet hashmaliciousBrowse
              • 91.119.249.10
              dFwIxBbz2dGet hashmaliciousBrowse
              • 89.101.120.139
              7f8BlPBZMSGet hashmaliciousBrowse
              • 213.126.148.27
              9bCnBwR693.exeGet hashmaliciousBrowse
              • 78.45.53.24
              nRjbMQ5Jua.exeGet hashmaliciousBrowse
              • 84.117.126.143
              Vk3A1yJJMgGet hashmaliciousBrowse
              • 83.103.130.246
              rnQYDw7A4GGet hashmaliciousBrowse
              • 95.76.74.163
              Af1Fnq4I4GGet hashmaliciousBrowse
              • 88.146.165.84
              395d6gwkWKGet hashmaliciousBrowse
              • 213.126.201.255
              wZ6O9wSQ4eGet hashmaliciousBrowse
              • 86.49.196.177
              b8oaj84zgzGet hashmaliciousBrowse
              • 77.251.162.101
              eubqHHIQkcGet hashmaliciousBrowse
              • 88.153.34.82
              popsmoke.mpslGet hashmaliciousBrowse
              • 62.195.46.186
              popsmoke.mpslGet hashmaliciousBrowse
              • 62.143.241.216

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):207872
              Entropy (8bit):7.450095771993313
              Encrypted:false
              SSDEEP:6144:sLV6Bta6dtJmakIM5KcGLYiO5C3e6s7338vSa:sLV6BtpmkjYiOS1k3Ta
              MD5:767E1C497FF0D617DE66C2D8ECE44C49
              SHA1:118E1E764CD05B98C631BB9A5687ACAE94F208E1
              SHA-256:F84B3ABD9E10ED3595FB957BA10F2C222FA6AC99605BBFD768CC65EE4F59E6E8
              SHA-512:F24ACF37C91C0FBFB02C17566D5B9D3FF548BD414D11F343AB56B4105D257721FC54C57254D3078AE30D4EC54D403EB5AF3E50A648B4B1F8C579D745F50B492C
              Malicious:true
              Yara Hits:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Virustotal, Detection: 84%, Browse
              • Antivirus: ReversingLabs, Detection: 100%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. ......................................................................8...W.... ..._........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...._... ...`..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.2874233355119316
              Encrypted:false
              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
              MD5:61CCF53571C9ABA6511D696CB0D32E45
              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
              Malicious:true
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gXcRJ8123G.exe.log
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.2874233355119316
              Encrypted:false
              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
              MD5:61CCF53571C9ABA6511D696CB0D32E45
              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
              Malicious:true
              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
              C:\Users\user\AppData\Local\Temp\tmp28BF.tmp
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1303
              Entropy (8bit):5.115734872180681
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V5lxtn:cbk4oL600QydbQxIYODOLedq3kj
              MD5:447A6AD04F7E1B9672E3B07786B1524A
              SHA1:043FAD6383FA97E1E4BCD0917B113EDAF35550C9
              SHA-256:55F70B35DB53C7218954340D87AFB1EDC889BE378C0327036BF947251A361AEB
              SHA-512:2546986CD9D35408C2D89834711E40129A4C8EAB75BC5A1C4051B68CB27446D60CAA19A0F1C5EB1421B6F4495E20A4CC1F96CF9446625E15424A7C293B173A0C
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:data
              Category:dropped
              Size (bytes):1736
              Entropy (8bit):7.094528505897445
              Encrypted:false
              SSDEEP:48:Ik/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8L:ft3Ucrt3Ucrt3Ucrt3Ucrt3Ucrt3Ucr9
              MD5:C9A901CEF4675F82D1F8407B7E1DA172
              SHA1:03480F0CAFD5689E41D7509DF92AE700B78D1693
              SHA-256:61488189C23B604117304C41F02C5E722985D264CCAC36D3DFA0589C8D5AD1C7
              SHA-512:8A02A9BF579D8C1464C4245AB21836604878E90B4EDEFCDE5A8D5D25872FC1DCE1CB82D72C9406DC24DE6CC1982C9A8204CAA798CD8BF06D47EBA60096865319
              Malicious:false
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:ISO-8859 text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:qF8t:q6
              MD5:AB1EF4A9F831D79EE720D72C90642ECE
              SHA1:9246DF20EE6CEBB1852A3774A7ED42A17ED8EEF0
              SHA-256:0305722508F8C58572086CD7F3718E2382D189EA7FF6020283354FEB9F110DCC
              SHA-512:058DFE6F015846BB70F6DF9E5C17CA4958C0202DC98283ABE0105236AC2A316A6547A09D1A725FE35008CE4C42099F6C8D5726E2867166C90A2BB312B32D7541
              Malicious:true
              Preview: ...].L.H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:data
              Category:modified
              Size (bytes):24
              Entropy (8bit):4.501629167387823
              Encrypted:false
              SSDEEP:3:9bzY6oRDIvYk:RzWDI3
              MD5:ACD3FB4310417DC77FE06F15B0E353E6
              SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
              SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
              SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
              Malicious:false
              Preview: 9iH...}Z.4..f..J".C;"a
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:data
              Category:dropped
              Size (bytes):64
              Entropy (8bit):5.320159765557392
              Encrypted:false
              SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
              MD5:BB0F9B9992809E733EFFF8B0E562CFD6
              SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
              SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
              SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
              Malicious:false
              Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:data
              Category:dropped
              Size (bytes):433688
              Entropy (8bit):7.999519077450246
              Encrypted:true
              SSDEEP:12288:dcRKtiKlC1FGhWjoORvi5oCILR9Eax5uoj:KRCiKECCGoD9Eaioj
              MD5:D2D87B1E9F691E38698A9683C9E213C1
              SHA1:87FAA25A212348CCD20567929D52A0ADE5BE07CE
              SHA-256:4115C31136A8A8F4642D3F5E7032A248381FCF36B047CFD911F974600F140039
              SHA-512:541F3C4C9CA97C085065FA5881D9A336F0BE474C90D1C65379CA7CB7F084B6496ED52A61F9133FD29DE5DB57C2B1F2CC302498579C5A158F823612EAC248C5DC
              Malicious:false
              Preview: .........O.......\8..5N..`S.]..[r.$*>.\.#v&..$.......Z.i..M.Mn5.@..@...3.R..Y...}>C.b....Z........K..^.d...Z...K.#...dn$e ..XP.^.#.......V...dB.Kn.Y.c..-k....M.D...Q.S..R.X.........._...Zz...#.=<.V.NHZq.h..ON..oq.:...,7H....../..Q..R.u6.."....<.`..z.5b($..9.CF.F1...o?.h.}....;Ay....kL}7...I.-.}..D&...C....%.J..+..1.5.a..Ih....s........G..?..9^0e...p..FCvNt.e...B/...y.h.G.0..o,Q.2[..........e.P8.....yr...*..Q..*..../..S..m.......\.wA.a1.]...oW........PY..h....f:.....Ss.....\.8...@R._A...M..X....V.f).]z..u{.z-....W...NaT+.&:...1.D../.7..\.S..z..!.....#..F.d......*.m'..........6.2....:H...bd].._......}.n.=...l.7%r.>...B.Q.K..q...Ex.6.6....P..^...i...Mx...;g...,t..fCd.\.b....e{.\...Y=4......+..T....j}..|66g.s...z...Y.kTi..?Xy...5\...SO..W.U.3A.$.l..{.D...no.E..v.2.:..a..hdhO..t.w.k..T|Po.....D?..mG.[.2.;....+...8.6.h!..w.3...w.o.....|....f.v.to.B.{`o..a.....f.cu..........?......"...u..EA...^)W..z..jtU{^......5#....y.s.......e.l..&...%...
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\Desktop\gXcRJ8123G.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):40
              Entropy (8bit):4.361768795973195
              Encrypted:false
              SSDEEP:3:oNN2+WCkf+0Cn:oNN2RCf0C
              MD5:57727D13BAD31F90F435367844801B81
              SHA1:BCE921899C2A359675AE9ACF8AA9C7181A03EA20
              SHA-256:ABC4C5E92B977739708223B5A0EE20A2898D3065997A991094C2360654B4EF8F
              SHA-512:FFCD3E598E062EF47F3087E3956E2A3C2DB02B1CE32463D9665FFC458C5C3D9EF1394BC8852733C258FE4592B7ED2CC600E7BF6FB716AE9A6A39C645B06ED687
              Malicious:false
              Preview: C:\Users\user\Desktop\gXcRJ8123G.exe

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.450095771993313
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:gXcRJ8123G.exe
              File size:207872
              MD5:767e1c497ff0d617de66c2d8ece44c49
              SHA1:118e1e764cd05b98c631bb9a5687acae94f208e1
              SHA256:f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
              SHA512:f24acf37c91c0fbfb02c17566d5b9d3ff548bd414d11f343ab56b4105d257721fc54c57254d3078ae30d4ec54d403eb5af3e50a648b4b1f8c579d745f50b492c
              SSDEEP:6144:sLV6Bta6dtJmakIM5KcGLYiO5C3e6s7338vSa:sLV6BtpmkjYiOS1k3Ta
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. .....................................................................

              File Icon

              Icon Hash:00828e8e8686b000

              Static PE Info

              General

              Entrypoint:0x41e792
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v2.0.50727
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x15fc8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x1c7980x1c800False0.594512404057data6.59805438752IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .rsrc0x220000x15fc80x16000False1.00026633523data7.99757268531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_RCDATA0x220580x15f70TIM image, Pixel at (52285,41708) Size=36322x50574

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 21, 2021 23:03:06.178333998 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.247365952 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.247837067 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.289177895 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.391777992 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.391905069 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.443742037 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.444065094 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.498539925 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.498625994 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.560504913 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.560714006 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.662353992 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.662599087 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.770725012 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.770801067 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.770895958 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.770941973 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.775173903 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.775227070 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.775302887 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.775433064 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.775475979 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.775541067 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.776097059 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.776139021 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.776207924 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.776416063 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.776463032 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.776503086 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.776515961 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.776550055 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.776586056 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.831844091 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.833868027 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.834003925 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.837975979 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.838001013 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.838094950 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.838504076 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.838521957 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.838593006 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.838840961 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.838859081 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.838934898 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.838972092 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.838989973 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.839066982 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.839087963 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.839500904 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.839584112 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.839595079 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.839610100 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.839703083 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.840676069 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.840696096 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.840754032 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.841499090 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.841520071 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.841619968 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.842583895 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.843199015 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.843283892 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.855494022 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.893522024 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.893874884 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.893980980 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.894598961 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.894661903 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.894746065 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.901660919 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.901768923 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.901994944 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.902069092 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.902393103 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.902549982 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.902578115 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.902760983 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.902935982 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.902961016 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903002024 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903017998 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903064966 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903182030 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903204918 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903238058 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903249025 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903302908 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903414965 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903518915 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903527975 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903733969 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903753042 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903812885 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903834105 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903856993 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903881073 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.903918028 CEST666649718188.141.118.122192.168.2.6
              Jul 21, 2021 23:03:06.903985023 CEST497186666192.168.2.6188.141.118.122
              Jul 21, 2021 23:03:06.904026031 CEST666649718188.141.118.122192.168.2.6

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:23:03:02
              Start date:21/07/2021
              Path:C:\Users\user\Desktop\gXcRJ8123G.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\gXcRJ8123G.exe'
              Imagebase:0x640000
              File size:207872 bytes
              MD5 hash:767E1C497FF0D617DE66C2D8ECE44C49
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:23:03:03
              Start date:21/07/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'
              Imagebase:0x1030000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:23:03:03
              Start date:21/07/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:23:03:04
              Start date:21/07/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'
              Imagebase:0x1030000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:23:03:04
              Start date:21/07/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:23:03:05
              Start date:21/07/2021
              Path:C:\Users\user\Desktop\gXcRJ8123G.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\gXcRJ8123G.exe 0
              Imagebase:0x60000
              File size:207872 bytes
              MD5 hash:767E1C497FF0D617DE66C2D8ECE44C49
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              General

              Start time:23:03:05
              Start date:21/07/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x7ff614b90000
              File size:207872 bytes
              MD5 hash:767E1C497FF0D617DE66C2D8ECE44C49
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 84%, Virustotal, Browse
              • Detection: 100%, ReversingLabs
              Reputation:low

              General

              Start time:23:03:15
              Start date:21/07/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x780000
              File size:207872 bytes
              MD5 hash:767E1C497FF0D617DE66C2D8ECE44C49
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >