Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quotation Request August RFQ8012021.exe

Overview

General Information

Sample Name:Quotation Request August RFQ8012021.exe
Analysis ID:457719
MD5:dd69f329393643aa570bd3a940323136
SHA1:dbcb022f10c8cfcdd93a75253b9e20260f86dafe
SHA256:9327c22d332141a7ee037b2d393e0ad352a2fc4f6dc9b7cf9c78155d70681e6b
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation Request August RFQ8012021.exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe' MD5: DD69F329393643AA570BD3A940323136)
    • cmd.exe (PID: 7156 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 5868 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • MainProc.exe (PID: 6288 cmdline: 'C:\Users\user\AppData\Roaming\MainProc.exe' MD5: DD69F329393643AA570BD3A940323136)
      • InstallUtil.exe (PID: 5880 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • smss.exe (PID: 5460 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 5908 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6752 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 5772 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 5032 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 6904 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 1664 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 4928 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6196 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 7084 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6048 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 7116 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6712 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 1260 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • dhcpmon.exe (PID: 2928 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0xb4377:$a: NanoCore
  • 0xb439c:$a: NanoCore
  • 0xb43f5:$a: NanoCore
  • 0xc4594:$a: NanoCore
  • 0xc45ba:$a: NanoCore
  • 0xc4616:$a: NanoCore
  • 0xd146d:$a: NanoCore
  • 0xd14c6:$a: NanoCore
  • 0xd14f9:$a: NanoCore
  • 0xd1725:$a: NanoCore
  • 0xd17a1:$a: NanoCore
  • 0xd1dba:$a: NanoCore
  • 0xd1f03:$a: NanoCore
  • 0xd23d7:$a: NanoCore
  • 0xd26be:$a: NanoCore
  • 0xd26d5:$a: NanoCore
  • 0xdb579:$a: NanoCore
  • 0xdb5f5:$a: NanoCore
  • 0xdded8:$a: NanoCore
  • 0xe34a1:$a: NanoCore
  • 0xe351b:$a: NanoCore
00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5b99:$x1: NanoCore.ClientPluginHost
    • 0x5bb3:$x2: IClientNetworkHost
    Click to see the 32 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    18.2.InstallUtil.exe.4337c5e.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x170b:$x1: NanoCore.ClientPluginHost
    • 0x1725:$x2: IClientNetworkHost
    18.2.InstallUtil.exe.4337c5e.11.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x170b:$x2: NanoCore.ClientPluginHost
    • 0x34b6:$s4: PipeCreated
    • 0x16f8:$s5: IClientLoggingHost
    18.2.InstallUtil.exe.412d7e1.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    18.2.InstallUtil.exe.412d7e1.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    18.2.InstallUtil.exe.7dc0000.25.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5b0b:$x1: NanoCore.ClientPluginHost
    • 0x5b44:$x2: IClientNetworkHost
    Click to see the 194 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary:

    barindex
    Sigma detected: System File Execution Location AnomalyShow sources
    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\smss.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\smss.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\smss.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\smss.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\smss.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\MainProc.exe' , ParentImage: C:\Users\user\AppData\Roaming\MainProc.exe, ParentProcessId: 6288, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\smss.exe' , ProcessId: 5460
    Sigma detected: Possible Applocker BypassShow sources
    Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\MainProc.exe' , ParentImage: C:\Users\user\AppData\Roaming\MainProc.exe, ParentProcessId: 6288, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\smss.exeMetadefender: Detection: 13%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\smss.exeReversingLabs: Detection: 12%
    Source: C:\Users\user\AppData\Roaming\MainProc.exeReversingLabs: Detection: 15%
    Multi AV Scanner detection for submitted fileShow sources
    Source: Quotation Request August RFQ8012021.exeVirustotal: Detection: 26%Perma Link
    Source: Quotation Request August RFQ8012021.exeReversingLabs: Detection: 15%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: Quotation Request August RFQ8012021.exeJoe Sandbox ML: detected
    Source: 18.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 18.2.InstallUtil.exe.61a0000.19.unpackAvira: Label: TR/NanoCore.fadte
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpackAvira: Label: TR/NanoCore.fadte
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49732 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49745 version: TLS 1.0
    Source: Quotation Request August RFQ8012021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000012.00000000.787284435.0000000000C62000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov esp, ebp
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FECFACh
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FEBA86h
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FECFACh
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FEBA86h
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E50799h
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E50799h
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E90799h
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E90799h

    Networking:

    barindex
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: dedicatedlambo9.ddns.net
    Source: global trafficTCP traffic: 192.168.2.4:49765 -> 185.140.53.253:1604
    Source: global trafficTCP traffic: 192.168.2.4:49768 -> 84.38.133.182:1604
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49732 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49745 version: TLS 1.0
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownDNS traffic detected: queries for: www.google.com
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
    Source: MainProc.exe, 0000000C.00000003.762136895.0000000000A1E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/15
    Source: MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1?&
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g5
    Source: MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g?&
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj5
    Source: MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj?&
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.669545817.00000000066F6000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.743302521.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.d
    Source: MainProc.exe, 0000000C.00000003.762136895.0000000000A1E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737360805.00000000028EA000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.865871111.0000000000A19000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
    Source: MainProc.exe, 0000000C.00000002.929570918.000000000269C000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
    Source: Quotation Request August RFQ8012021.exe, Quotation Request August RFQ8012021.exe, 00000000.00000002.734568182.0000000000452000.00000002.00020000.sdmp, MainProc.exe, MainProc.exe, 0000000C.00000000.730058481.0000000000202000.00000002.00020000.sdmpString found in binary or memory: https://www.google.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: smss.exe, 00000016.00000002.813610530.0000000000A00000.00000004.00000001.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: InstallUtil.exe, 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 18.2.InstallUtil.exe.4337c5e.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.412d7e1.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7dc0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e00000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.4139a15.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.4337c5e.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e50000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.432982e.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e90000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.6570000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7dc0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43209ff.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.432982e.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7de0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7dd0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e10000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.74c0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e5e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e54c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.74c0000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7de0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.5870000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e20000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.3035ff8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.6570000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e40000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e40000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e20000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e50000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7df0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e00000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.3042240.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944247779.0000000007E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Quotation Request August RFQ8012021.exe
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE069C CreateProcessAsUserW,
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_00458C21
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CEA550
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE7550
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE96D8
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CEDDD0
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE7D54
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00208C21
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0A550
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D07550
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D09A60
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0FCA8
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D07C00
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0DDD0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D09A50
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0FC9A
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0DDC0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE1550
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE4468
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE2878
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE93B0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE4B98
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE6AC0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE0A58
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE1541
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE7520
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE4459
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE9FD0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE5E10
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE5E00
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE2868
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE93A2
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE4B88
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE6AB2
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE6288
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE6277
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE8258
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE0A48
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_00C620B0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_06580040
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_065702B0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_02D5E480
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_02D5E471
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_02D5BBD4
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07ECD4F8
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC1098
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC4868
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07ECC828
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC5820
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC1E8E
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC1DD0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC2570
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07ECC4E0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC58DE
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745612764.0000000006CF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.738580016.0000000003895000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.743399156.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.734942939.0000000000510000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameECHE CRYPTED FILE.exeP vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.743738593.00000000061B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.743738593.00000000061B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation Request August RFQ8012021.exe
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: 18.2.InstallUtil.exe.4337c5e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4337c5e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.412d7e1.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.412d7e1.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7dc0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7dc0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e00000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e00000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.4139a15.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4139a15.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.4337c5e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4337c5e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e50000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e50000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.432982e.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.432982e.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e90000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e90000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.6570000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.6570000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7dc0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7dc0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.43209ff.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43209ff.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.432982e.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.432982e.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7de0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7de0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7dd0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7dd0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.74c0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.74c0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e5e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e5e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e54c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e54c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.74c0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.74c0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7de0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7de0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.5870000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.5870000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e20000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e20000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.3035ff8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3035ff8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.6570000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.6570000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e40000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e40000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e40000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e40000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e20000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e20000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e50000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e50000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7df0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7df0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e00000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e00000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.3042240.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3042240.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944247779.0000000007E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@38/23@8/4
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Roaming\MainProc.exeJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_01
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c9622013-90b3-4810-9b2a-2fbba1723547}
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
    Source: Quotation Request August RFQ8012021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\MainProc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Quotation Request August RFQ8012021.exeVirustotal: Detection: 26%
    Source: Quotation Request August RFQ8012021.exeReversingLabs: Detection: 15%
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe 'C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Users\user\AppData\Roaming\MainProc.exe 'C:\Users\user\AppData\Roaming\MainProc.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Users\user\AppData\Roaming\MainProc.exe 'C:\Users\user\AppData\Roaming\MainProc.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: Quotation Request August RFQ8012021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: Quotation Request August RFQ8012021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000012.00000000.787284435.0000000000C62000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: Quotation Request August RFQ8012021.exe, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: MainProc.exe.0.dr, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.MainProc.exe.200000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.2.MainProc.exe.200000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: smss.exe.12.drStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_00455483 push es; ret
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_0045B51D push es; ret
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE3F02 push E802005Eh; ret
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00205483 push es; ret
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_0020B51D push es; ret
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0BEF8 push eax; retf
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE019F pushfd ; ret
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC7983 push es; ret
    Source: Quotation Request August RFQ8012021.exe, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: Quotation Request August RFQ8012021.exe, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: Quotation Request August RFQ8012021.exe, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: Quotation Request August RFQ8012021.exe, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: MainProc.exe.0.dr, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: MainProc.exe.0.dr, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: MainProc.exe.0.dr, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: MainProc.exe.0.dr, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: smss.exe.12.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: smss.exe.12.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: smss.exe.12.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: smss.exe.12.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: smss.exe.12.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 12.0.MainProc.exe.200000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 12.0.MainProc.exe.200000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 12.0.MainProc.exe.200000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 12.0.MainProc.exe.200000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 12.2.MainProc.exe.200000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 12.2.MainProc.exe.200000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 12.2.MainProc.exe.200000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 12.2.MainProc.exe.200000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

    Persistence and Installation Behavior:

    barindex
    Drops PE files with benign system namesShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile created: C:\Users\user\AppData\Local\Temp\smss.exeJump to dropped file
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Roaming\MainProc.exeJump to dropped file
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile created: C:\Users\user\AppData\Local\Temp\smss.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Creates an undocumented autostart registry key Show sources
    Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile opened: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe\:Zone.Identifier read attributes | delete
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile opened: C:\Users\user\AppData\Roaming\MainProc.exe\:Zone.Identifier read attributes | delete
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Temp\InstallUtil.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\MainProc.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeWindow / User API: threadDelayed 362
    Source: C:\Users\user\AppData\Roaming\MainProc.exeWindow / User API: threadDelayed 6786
    Source: C:\Users\user\AppData\Roaming\MainProc.exeWindow / User API: threadDelayed 2569
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 2016
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 7538
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 6816Thread sleep time: -3689348814741908s >= -30000s
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 7012Thread sleep count: 362 > 30
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 6752Thread sleep time: -30000s >= -30000s
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 6708Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 6336Thread sleep time: -24903104499507879s >= -30000s
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 6344Thread sleep count: 6786 > 30
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 6344Thread sleep count: 2569 > 30
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 7160Thread sleep count: 42 > 30
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 7160Thread sleep time: -42000s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5472Thread sleep time: -15679732462653109s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 5528Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6876Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 6496Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 6440Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 6960Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\MainProc.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: InstallUtil.exe, 00000012.00000002.923504650.0000000001160000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+Qz~.
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: smss.exe, 00000016.00000002.813924994.0000000000A81000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: MainProc.exe, 0000000C.00000002.927040949.000000000098F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D09A60 LdrInitializeThunk,
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: EB2008
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Users\user\AppData\Roaming\MainProc.exe 'C:\Users\user\AppData\Roaming\MainProc.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.932054814.0000000003289000.00000004.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.927287222.0000000001830000.00000002.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.927287222.0000000001830000.00000002.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.927287222.0000000001830000.00000002.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: InstallUtil.exe, 00000012.00000002.929393891.00000000030B9000.00000004.00000001.sdmpBinary or memory string: Program Manager`
    Source: InstallUtil.exe, 00000012.00000002.929393891.00000000030B9000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe VolumeInformation
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Users\user\AppData\Roaming\MainProc.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC3CA8 GetSystemTimes,
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: MainProc.exe, 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: InstallUtil.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: InstallUtil.exe, 00000012.00000002.936129956.00000000043AF000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1Windows Management Instrumentation1Valid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Obfuscated Files or Information2Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSecurity Software Discovery111SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading12Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Virtualization/Sandbox Evasion21Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
    Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 457719 Sample: Quotation Request August RF... Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Sigma detected: NanoCore 2->83 85 7 other signatures 2->85 8 Quotation Request August RFQ8012021.exe 15 7 2->8         started        13 dhcpmon.exe 2->13         started        process3 dnsIp4 61 www.google.com 172.217.168.68, 443, 49732, 49745 GOOGLEUS United States 8->61 49 C:\Users\user\AppData\Roaming\MainProc.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->51 dropped 53 C:\Users\...\MainProc.exe:Zone.Identifier, ASCII 8->53 dropped 55 Quotation Request ... RFQ8012021.exe.log, ASCII 8->55 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->87 15 MainProc.exe 14 5 8->15         started        20 cmd.exe 1 8->20         started        22 conhost.exe 13->22         started        file5 signatures6 process7 dnsIp8 67 192.168.2.1 unknown unknown 15->67 69 www.google.com 15->69 47 C:\Users\user\AppData\Local\Temp\smss.exe, PE32 15->47 dropped 71 Multi AV Scanner detection for dropped file 15->71 73 Machine Learning detection for dropped file 15->73 75 Writes to foreign memory regions 15->75 77 4 other signatures 15->77 24 InstallUtil.exe 1 12 15->24         started        29 smss.exe 2 15->29         started        31 smss.exe 15->31         started        37 3 other processes 15->37 33 reg.exe 1 1 20->33         started        35 conhost.exe 20->35         started        file9 signatures10 process11 dnsIp12 63 185.140.53.253, 1604, 49765, 49766 DAVID_CRAIGGG Sweden 24->63 65 dedicatedlambo9.ddns.net 84.38.133.182, 1604, 49768, 49770 DATACLUB-NL Latvia 24->65 57 C:\Users\user\AppData\Roaming\...\run.dat, data 24->57 dropped 59 C:\Program Files (x86)\...\dhcpmon.exe, PE32 24->59 dropped 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->89 91 Multi AV Scanner detection for dropped file 29->91 39 smss.exe 29->39         started        41 smss.exe 31->41         started        93 Creates an undocumented autostart registry key 33->93 43 smss.exe 37->43         started        45 smss.exe 37->45         started        file13 signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Quotation Request August RFQ8012021.exe26%VirustotalBrowse
    Quotation Request August RFQ8012021.exe15%ReversingLabs
    Quotation Request August RFQ8012021.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\MainProc.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\smss.exe14%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\smss.exe13%ReversingLabs
    C:\Users\user\AppData\Roaming\MainProc.exe15%ReversingLabs

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    18.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    18.2.InstallUtil.exe.61a0000.19.unpack100%AviraTR/NanoCore.fadteDownload File
    18.2.InstallUtil.exe.3ff8a40.6.unpack100%AviraTR/NanoCore.fadteDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://crl.pki.goog/gsr1/gsr1.crl0;0%URL Reputationsafe
    http://ns.adobe.cobj0%URL Reputationsafe
    http://ns.adobe.cobj?&0%Avira URL Cloudsafe
    http://ns.ado/1?&0%Avira URL Cloudsafe
    http://ns.d0%URL Reputationsafe
    http://ns.adobe.c/g50%Avira URL Cloudsafe
    http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
    http://pki.goog/gsr1/gsr1.crt020%URL Reputationsafe
    http://ns.adobe.c/g0%URL Reputationsafe
    https://pki.goog/repository/00%URL Reputationsafe
    http://ns.adobe.cobj50%Avira URL Cloudsafe
    http://ns.adobe.c/g?&0%Avira URL Cloudsafe
    http://ns.ado/10%URL Reputationsafe
    http://ns.ado/150%Avira URL Cloudsafe
    http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl00%Avira URL Cloudsafe
    http://pki.goog/repo/certs/gts1c3.der00%URL Reputationsafe
    http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    dedicatedlambo9.ddns.net
    		84.38.133.182
    		truefalse
      		high
      www.google.com
      		172.217.168.68
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.comQuotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpfalse
          		high
          http://crl.pki.goog/gsr1/gsr1.crl0;MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.cobjQuotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.cobj?&MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ns.ado/1?&MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ns.dQuotation Request August RFQ8012021.exe, 00000000.00000003.669545817.00000000066F6000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.743302521.0000000006626000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.c/g5Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.pki.goog/gtsr1/gtsr1.crl0WMainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://pki.goog/gsr1/gsr1.crt02MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.c/gQuotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://pki.goog/repository/0MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://google.comInstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpfalse
            		high
            http://ns.adobe.cobj5Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpfalse
              		high
              http://ns.adobe.c/g?&MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/Quotation Request August RFQ8012021.exe, Quotation Request August RFQ8012021.exe, 00000000.00000002.734568182.0000000000452000.00000002.00020000.sdmp, MainProc.exe, MainProc.exe, 0000000C.00000000.730058481.0000000000202000.00000002.00020000.sdmpfalse
                		high
                http://schema.org/WebPageMainProc.exe, 0000000C.00000002.929570918.000000000269C000.00000004.00000001.sdmpfalse
                  		high
                  http://ns.ado/1Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ns.ado/15Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pki.goog/repo/certs/gts1c3.der0Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pki.goog/repo/certs/gtsr1.der04MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  172.217.168.68
                  		www.google.comUnited States
                  		15169GOOGLEUSfalse
                  84.38.133.182
                  		dedicatedlambo9.ddns.netLatvia
                  		203557DATACLUB-NLfalse
                  185.140.53.253
                  		unknownSweden
                  		209623DAVID_CRAIGGGfalse

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:33.0.0 White Diamond
                  Analysis ID:457719
                  Start date:02.08.2021
                  Start time:08:43:06
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 14m 39s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Quotation Request August RFQ8012021.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:39
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@38/23@8/4
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 1.6% (good quality ratio 1.3%)
                  • Quality average: 66.9%
                  • Quality standard deviation: 33.7%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.211.6.115, 104.42.151.234, 204.79.197.200, 13.107.21.200, 20.82.209.183, 93.184.221.240, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62
                  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:44:35API Interceptor1x Sleep call for process: Quotation Request August RFQ8012021.exe modified
                  08:45:07API Interceptor461x Sleep call for process: InstallUtil.exe modified
                  08:45:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):41064
                  Entropy (8bit):6.164873449128079
                  Encrypted:false
                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                  Malicious:false
                  Antivirus:
                  • Antivirus: Metadefender, Detection: 0%, Browse
                  • Antivirus: ReversingLabs, Detection: 0%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Request August RFQ8012021.exe.log
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):1316
                  Entropy (8bit):5.343667025898124
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csXE4D8Q:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHe
                  MD5:379135DE3C31F3A766187BD9B6C730C9
                  SHA1:BEFFE8BDE231861A3FD901A12F51523399B9A5E7
                  SHA-256:BDE88F5C7F95E26FFC5EBE86C38AE61E78E0A5AA932A83DE00F2A46DB24DD22D
                  SHA-512:2897AAB0225823AC258D5D5E52B43140F2B47603689C968243F515B516A2712CAC69A0D7317C53575CF725D7EBDC85C93637F57E626778117364D5666C9FB993
                  Malicious:true
                  Reputation:unknown
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):950
                  Entropy (8bit):5.350971482944737
                  Encrypted:false
                  SSDEEP:24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
                  MD5:CEE81B7EB08EE82CFE49E47B81B50D1A
                  SHA1:4746C7068BD50E3309BFFDBE8983B8F27D834DFD
                  SHA-256:B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
                  SHA-512:AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
                  Malicious:false
                  Reputation:unknown
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\smss.exe.log
                  Process:C:\Users\user\AppData\Local\Temp\smss.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1362
                  Entropy (8bit):5.343186145897752
                  Encrypted:false
                  SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                  MD5:1249251E90A1C28AB8F7235F30056DEB
                  SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                  SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                  SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                  Malicious:false
                  Reputation:unknown
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):41064
                  Entropy (8bit):6.164873449128079
                  Encrypted:false
                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                  Malicious:true
                  Antivirus:
                  • Antivirus: Metadefender, Detection: 0%, Browse
                  • Antivirus: ReversingLabs, Detection: 0%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                  C:\Users\user\AppData\Local\Temp\smss.exe
                  Process:C:\Users\user\AppData\Roaming\MainProc.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):78336
                  Entropy (8bit):4.369296705546591
                  Encrypted:false
                  SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                  MD5:0E362E7005823D0BEC3719B902ED6D62
                  SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                  SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                  SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                  Malicious:true
                  Antivirus:
                  • Antivirus: Metadefender, Detection: 14%, Browse
                  • Antivirus: ReversingLabs, Detection: 13%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.
                  C:\Users\user\AppData\Local\Temp\smss.txt
                  Process:C:\Users\user\AppData\Local\Temp\smss.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:DymfNt+kiEaKC5YIcEs:Wm1wknaZ5YPEs
                  MD5:6030D395E9112F76A144D1A2D3A5A74A
                  SHA1:8F8E1A7E7FC9711730CF084962911106AF1C890A
                  SHA-256:991205B28FA86D000ADA3BE09B940CD49598CBA126F4041DA905A4FCFAA541B3
                  SHA-512:28A229D642DFABA4F7AE7D972DC1B89FE89D4914E4451CEBCD57C9EBE780D397FCA9953EC8AF51A0F6BD2343A784907485EC051EA2C6B6CA803B731CAD852C04
                  Malicious:false
                  Reputation:unknown
                  Preview: 6288..C:\Users\user\AppData\Roaming\MainProc.exe..6196..
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1392
                  Entropy (8bit):7.024371743172393
                  Encrypted:false
                  SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUt4:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/f
                  MD5:E78C6686C5A1A9CB0724F84DEA9A75F0
                  SHA1:80E61D5BDC7AF293362024781DA66BEA9D370FF9
                  SHA-256:FBE0B513511C00AC3B7169E1BCFB675CFD708B249365D724269C23FAC1184967
                  SHA-512:FF3835238CAEA26D8800B56901AB962ACD2FA390F955C4A8A15B5817AAB7642D105538CF63938D218567501477FB4B23C2834F22CBC8BA0002C7BCACB2875637
                  Malicious:false
                  Reputation:unknown
                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8
                  Entropy (8bit):3.0
                  Encrypted:false
                  SSDEEP:3:F+1kw8n:dn
                  MD5:015F76206A31860FD0EBF2D06C6E4F1C
                  SHA1:0F85C4922624E7B45C9FFED521F18E293988484F
                  SHA-256:209B2BD9810266DEA38E4C30B19C6C050C2EE187D5A6FB4C025902F22FD35B45
                  SHA-512:173637CB893AE5A42394292CE39132AA1CEE1FA747BB64FB28E26C6AF88A76CAE3E5924333F7B8D1A8BC9846ECCADC383109F7325C9703F581B1C2DE1A07BB10
                  Malicious:true
                  Reputation:unknown
                  Preview: .....U.H
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24
                  Entropy (8bit):4.501629167387823
                  Encrypted:false
                  SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                  MD5:ACD3FB4310417DC77FE06F15B0E353E6
                  SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                  SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                  SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                  Malicious:false
                  Reputation:unknown
                  Preview: 9iH...}Z.4..f..J".C;"a
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):5.320159765557392
                  Encrypted:false
                  SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                  MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                  SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                  SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                  SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                  Malicious:false
                  Reputation:unknown
                  Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):327432
                  Entropy (8bit):7.99938831605763
                  Encrypted:true
                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                  Malicious:false
                  Reputation:unknown
                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                  C:\Users\user\AppData\Roaming\MainProc.exe
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):775168
                  Entropy (8bit):6.683069808516563
                  Encrypted:false
                  SSDEEP:12288:BLLLO6nlb8uYhkOH7aSV7B+AcitG07iLQSWmJhbfvfkt:BPLRlb853uu7Bg0+LQSWP
                  MD5:DD69F329393643AA570BD3A940323136
                  SHA1:DBCB022F10C8CFCDD93A75253B9E20260F86DAFE
                  SHA-256:9327C22D332141A7EE037B2D393E0AD352A2FC4F6DC9B7CF9C78155D70681E6B
                  SHA-512:836B07E9F14621179B2C5CD4FA7F778F41A51240ED25B5C62A64D7F1B48B233FA972D6CA77A96B780D1F61251BEF9F5B982B694A02A359A55AD3DC2EC23DD0C8
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 15%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....51.........."...P.................. ........@.. .......................@............`.....................................O.......J.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...J...........................@..@.reloc....... ......................@..B........................H.......P...l...........t................................................( ...*&..(!....*.s"........s#........s$........s%........s&........*Z........o9...........*&..(:....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*...{......,.+.....,.rq..ps?...z..|.
                  C:\Users\user\AppData\Roaming\MainProc.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:unknown
                  Preview: [ZoneTransfer]....ZoneId=0
                  \Device\ConDrv
                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2017
                  Entropy (8bit):4.663189584482275
                  Encrypted:false
                  SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                  MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                  SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                  SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                  SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                  Malicious:false
                  Reputation:unknown
                  Preview: Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):6.683069808516563
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:Quotation Request August RFQ8012021.exe
                  File size:775168
                  MD5:dd69f329393643aa570bd3a940323136
                  SHA1:dbcb022f10c8cfcdd93a75253b9e20260f86dafe
                  SHA256:9327c22d332141a7ee037b2d393e0ad352a2fc4f6dc9b7cf9c78155d70681e6b
                  SHA512:836b07e9f14621179b2c5cd4fa7f778f41a51240ed25b5c62a64d7f1b48b233fa972d6ca77a96b780d1f61251bef9f5b982b694a02a359a55ad3dc2ec23dd0c8
                  SSDEEP:12288:BLLLO6nlb8uYhkOH7aSV7B+AcitG07iLQSWmJhbfvfkt:BPLRlb853uu7Bg0+LQSWP
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....51.........."...P.................. ........@.. .......................@............`................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4be70e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Time Stamp:0x31359EF3 [Thu Feb 29 12:41:23 1996 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbe6bc0x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x64a.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xbc7140xbc800False0.601980841761data6.69306847965IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0xc00000x64a0x800False0.361328125data3.73777316937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xc00a00x3c0data
                  RT_MANIFEST0xc04600x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightCopyright 2002 I22F6?H99HDB==A8GG=
                  Assembly Version1.0.0.0
                  InternalNameECHE CRYPTED FILE.exe
                  FileVersion4.6.8.11
                  CompanyNameI22F6?H99HDB==A8GG=
                  Comments=H63JIF@:2F2?8HH:A
                  ProductNameB26FHH8E2;5D3;?56:=J;<E
                  ProductVersion4.6.8.11
                  FileDescriptionB26FHH8E2;5D3;?56:=J;<E
                  OriginalFilenameECHE CRYPTED FILE.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 2, 2021 08:43:57.989947081 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.015029907 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.020512104 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.057162046 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.088280916 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095242977 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095285892 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095310926 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095330000 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.102585077 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.109533072 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.134608984 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.193176985 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.222229004 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.253853083 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.297291040 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.298835993 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.298912048 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.300363064 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.301788092 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.303289890 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.304622889 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.307264090 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307305098 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307342052 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307364941 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307387114 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307413101 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307429075 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.307497978 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.308729887 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308754921 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308778048 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308803082 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308867931 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.308978081 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.336648941 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336694002 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336718082 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336736917 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336760044 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336785078 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336813927 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.336898088 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.338651896 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.338690042 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.338766098 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.340964079 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.341007948 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.341098070 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.342506886 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.342535973 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.342653036 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.344357014 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.344387054 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.344513893 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.346402884 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.346441031 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.346576929 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.347912073 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.347975016 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.348109007 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.349703074 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.349740982 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.349867105 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.351577997 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.351619959 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.351736069 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.353307009 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.353650093 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:05.599339008 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.685811996 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.715183020 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.715353012 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.771493912 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.800407887 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812555075 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812586069 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812598944 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812608957 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812691927 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.812728882 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.815929890 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.843267918 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.895953894 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.938045025 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.968451977 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015259981 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015288115 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015304089 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015324116 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015341043 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015357018 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015364885 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.015398979 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.015403986 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.017266035 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.017286062 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.017368078 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.019393921 CEST44349745172.217.168.68192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 2, 2021 08:43:47.951039076 CEST4971453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:47.978574038 CEST53497148.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:48.607779026 CEST5802853192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:48.636271954 CEST53580288.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:49.310126066 CEST5309753192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:49.346659899 CEST53530978.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:49.937041044 CEST4925753192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:49.966797113 CEST53492578.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:50.997369051 CEST6238953192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:51.033483028 CEST53623898.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:52.168009043 CEST4991053192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:52.192941904 CEST53499108.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:53.195231915 CEST5585453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:53.222794056 CEST53558548.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:54.606411934 CEST6454953192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:54.636307955 CEST53645498.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:56.139966965 CEST6315353192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:56.179408073 CEST53631538.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:57.423515081 CEST5299153192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:57.456290960 CEST53529918.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:57.933033943 CEST5370053192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:57.960870981 CEST53537008.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:58.228938103 CEST5172653192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:58.253899097 CEST53517268.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:58.308300972 CEST5679453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:58.359380007 CEST53567948.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:58.370975971 CEST5653453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:58.403595924 CEST53565348.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:00.395735979 CEST5662753192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:00.428066969 CEST53566278.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:01.462416887 CEST5662153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:01.487005949 CEST53566218.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:02.537281036 CEST6311653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:02.564785957 CEST53631168.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:03.604494095 CEST6407853192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:03.639764071 CEST53640788.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:04.664004087 CEST6480153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:04.696794987 CEST53648018.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:05.396941900 CEST6172153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:05.424765110 CEST53617218.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:06.432003975 CEST5125553192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:06.460185051 CEST53512558.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:07.637190104 CEST6152253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:07.664674044 CEST53615228.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:21.263093948 CEST5233753192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:21.306958914 CEST53523378.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:34.640358925 CEST5504653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:34.666949987 CEST53550468.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:35.025269032 CEST4961253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:35.060741901 CEST53496128.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:35.066827059 CEST4928553192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:35.100137949 CEST53492858.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:41.273047924 CEST5060153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:41.305814981 CEST53506018.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:41.514153957 CEST6087553192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:41.555350065 CEST53608758.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:42.905774117 CEST5644853192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:42.940818071 CEST53564488.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:43.326035023 CEST5917253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:43.370830059 CEST53591728.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:45.728630066 CEST6242053192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:45.763329983 CEST53624208.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:46.974745989 CEST6057953192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:47.012340069 CEST53605798.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:47.902887106 CEST5018353192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:47.939491987 CEST53501838.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:48.415471077 CEST6153153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:48.451076031 CEST53615318.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:49.225300074 CEST4922853192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:49.257811069 CEST53492288.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:50.295164108 CEST5979453192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:50.328421116 CEST53597948.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:52.380829096 CEST5591653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:52.416184902 CEST53559168.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:53.000516891 CEST5275253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:53.033313990 CEST53527528.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:55.817954063 CEST6054253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:55.821413994 CEST6068953192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:55.858757019 CEST53605428.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:55.864502907 CEST53606898.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:58.659456968 CEST6420653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:58.695750952 CEST53642068.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:26.005337000 CEST5090453192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:26.040527105 CEST53509048.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:33.120559931 CEST5752553192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:33.166687012 CEST53575258.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:33.274184942 CEST5381453192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:33.311067104 CEST53538148.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:35.860843897 CEST5341853192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:35.893742085 CEST53534188.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:40.482608080 CEST6283353192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:40.515060902 CEST53628338.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:47.813150883 CEST5926053192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:47.848233938 CEST53592608.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:54.743391991 CEST4994453192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:54.777112961 CEST53499448.8.8.8192.168.2.4
                  Aug 2, 2021 08:46:00.841999054 CEST6330053192.168.2.48.8.8.8
                  Aug 2, 2021 08:46:00.867130041 CEST53633008.8.8.8192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Aug 2, 2021 08:43:57.933033943 CEST192.168.2.48.8.8.80x1966Standard query (0)www.google.comA (IP address)IN (0x0001)
                  Aug 2, 2021 08:44:34.640358925 CEST192.168.2.48.8.8.80x11f5Standard query (0)www.google.comA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:26.005337000 CEST192.168.2.48.8.8.80x859cStandard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:33.274184942 CEST192.168.2.48.8.8.80xf875Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:40.482608080 CEST192.168.2.48.8.8.80x7744Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:47.813150883 CEST192.168.2.48.8.8.80xfa33Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:54.743391991 CEST192.168.2.48.8.8.80xd6baStandard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:46:00.841999054 CEST192.168.2.48.8.8.80x9015Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Aug 2, 2021 08:43:57.960870981 CEST8.8.8.8192.168.2.40x1966No error (0)www.google.com172.217.168.68A (IP address)IN (0x0001)
                  Aug 2, 2021 08:44:34.666949987 CEST8.8.8.8192.168.2.40x11f5No error (0)www.google.com172.217.168.68A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:26.040527105 CEST8.8.8.8192.168.2.40x859cNo error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:33.311067104 CEST8.8.8.8192.168.2.40xf875No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:40.515060902 CEST8.8.8.8192.168.2.40x7744No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:47.848233938 CEST8.8.8.8192.168.2.40xfa33No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:54.777112961 CEST8.8.8.8192.168.2.40xd6baNo error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:46:00.867130041 CEST8.8.8.8192.168.2.40x9015No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)

                  HTTPS Packets

                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                  Aug 2, 2021 08:43:58.095330000 CEST172.217.168.68443192.168.2.449732CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jun 28 06:12:58 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Sep 20 06:12:57 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                  CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                  CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028
                  Aug 2, 2021 08:44:34.812608957 CEST172.217.168.68443192.168.2.449745CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jun 28 06:12:58 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Sep 20 06:12:57 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                  CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                  CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: Quotation Request August RFQ8012021.exe PID: 6640 Parent PID: 5776

                  General

                  Start time:08:43:55
                  Start date:02/08/2021
                  Path:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe'
                  Imagebase:0x450000
                  File size:775168 bytes
                  MD5 hash:DD69F329393643AA570BD3A940323136
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  Reputation:low

                  Analysis Process: cmd.exe PID: 7156 Parent PID: 6640

                  General

                  Start time:08:44:14
                  Start date:02/08/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
                  Imagebase:0x11d0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: conhost.exe PID: 7164 Parent PID: 7156

                  General

                  Start time:08:44:15
                  Start date:02/08/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff724c50000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: reg.exe PID: 5868 Parent PID: 7156

                  General

                  Start time:08:44:16
                  Start date:02/08/2021
                  Path:C:\Windows\SysWOW64\reg.exe
                  Wow64 process (32bit):true
                  Commandline:REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
                  Imagebase:0x1320000
                  File size:59392 bytes
                  MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: MainProc.exe PID: 6288 Parent PID: 6640

                  General

                  Start time:08:44:33
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Roaming\MainProc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\MainProc.exe'
                  Imagebase:0x200000
                  File size:775168 bytes
                  MD5 hash:DD69F329393643AA570BD3A940323136
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 15%, ReversingLabs
                  Reputation:low

                  Analysis Process: InstallUtil.exe PID: 5880 Parent PID: 6288

                  General

                  Start time:08:44:59
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Imagebase:0xc60000
                  File size:41064 bytes
                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944247779.0000000007E40000.00000004.00000001.sdmp, Author: Florian Roth
                  Antivirus matches:
                  • Detection: 0%, Metadefender, Browse
                  • Detection: 0%, ReversingLabs
                  Reputation:moderate

                  Analysis Process: smss.exe PID: 5460 Parent PID: 6288

                  General

                  Start time:08:45:07
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x1e0000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Antivirus matches:
                  • Detection: 14%, Metadefender, Browse
                  • Detection: 13%, ReversingLabs
                  Reputation:moderate

                  Analysis Process: smss.exe PID: 5908 Parent PID: 5460

                  General

                  Start time:08:45:11
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x220000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:moderate

                  Analysis Process: smss.exe PID: 6752 Parent PID: 6288

                  General

                  Start time:08:45:15
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x780000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: smss.exe PID: 5772 Parent PID: 6752

                  General

                  Start time:08:45:17
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x270000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: dhcpmon.exe PID: 2928 Parent PID: 3424

                  General

                  Start time:08:45:17
                  Start date:02/08/2021
                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                  Imagebase:0xb70000
                  File size:41064 bytes
                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Antivirus matches:
                  • Detection: 0%, Metadefender, Browse
                  • Detection: 0%, ReversingLabs

                  Analysis Process: conhost.exe PID: 2224 Parent PID: 2928

                  General

                  Start time:08:45:18
                  Start date:02/08/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff724c50000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Analysis Process: smss.exe PID: 5032 Parent PID: 6288

                  General

                  Start time:08:45:22
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0xf30000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: smss.exe PID: 6904 Parent PID: 5032

                  General

                  Start time:08:45:26
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x350000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: smss.exe PID: 1664 Parent PID: 6288

                  General

                  Start time:08:45:32
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x460000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: smss.exe PID: 4928 Parent PID: 1664

                  General

                  Start time:08:45:36
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0xf50000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Analysis Process: smss.exe PID: 6196 Parent PID: 6288

                  General

                  Start time:08:45:41
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x500000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Disassembly

                  Code Analysis

                  Reset < >