Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report oGZg708edu.exe

Overview

General Information

Sample Name:oGZg708edu.exe
Analysis ID:458234
MD5:a12a9c428510a3ee87c68078c3633f69
SHA1:ff6c453d63faf3d63ecd17e172e9e8601478911b
SHA256:639d614a07d34139806093f8c24190e1de1e463620b4c852ab0f5a089029f6a6
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • oGZg708edu.exe (PID: 3152 cmdline: 'C:\Users\user\Desktop\oGZg708edu.exe' MD5: A12A9C428510A3EE87C68078C3633F69)
    • schtasks.exe (PID: 4948 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpCB9C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • oGZg708edu.exe (PID: 2000 cmdline: {path} MD5: A12A9C428510A3EE87C68078C3633F69)
    • oGZg708edu.exe (PID: 5424 cmdline: {path} MD5: A12A9C428510A3EE87C68078C3633F69)
    • oGZg708edu.exe (PID: 4404 cmdline: {path} MD5: A12A9C428510A3EE87C68078C3633F69)
      • schtasks.exe (PID: 3156 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEB6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3596 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE241.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • oGZg708edu.exe (PID: 492 cmdline: C:\Users\user\Desktop\oGZg708edu.exe 0 MD5: A12A9C428510A3EE87C68078C3633F69)
    • schtasks.exe (PID: 5640 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp7633.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • oGZg708edu.exe (PID: 5280 cmdline: {path} MD5: A12A9C428510A3EE87C68078C3633F69)
    • oGZg708edu.exe (PID: 5252 cmdline: {path} MD5: A12A9C428510A3EE87C68078C3633F69)
  • dhcpmon.exe (PID: 3440 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: A12A9C428510A3EE87C68078C3633F69)
    • schtasks.exe (PID: 5324 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 5348 cmdline: {path} MD5: A12A9C428510A3EE87C68078C3633F69)
  • dhcpmon.exe (PID: 4744 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A12A9C428510A3EE87C68078C3633F69)
    • schtasks.exe (PID: 3260 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp990D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6100 cmdline: {path} MD5: A12A9C428510A3EE87C68078C3633F69)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x435bd:$a: NanoCore
      • 0x43616:$a: NanoCore
      • 0x43653:$a: NanoCore
      • 0x436cc:$a: NanoCore
      • 0x56d77:$a: NanoCore
      • 0x56d8c:$a: NanoCore
      • 0x56dc1:$a: NanoCore
      • 0x6fd73:$a: NanoCore
      • 0x6fd88:$a: NanoCore
      • 0x6fdbd:$a: NanoCore
      • 0x4361f:$b: ClientPlugin
      • 0x4365c:$b: ClientPlugin
      • 0x43f5a:$b: ClientPlugin
      • 0x43f67:$b: ClientPlugin
      • 0x56b33:$b: ClientPlugin
      • 0x56b4e:$b: ClientPlugin
      • 0x56b7e:$b: ClientPlugin
      • 0x56d95:$b: ClientPlugin
      • 0x56dca:$b: ClientPlugin
      • 0x6fb2f:$b: ClientPlugin
      • 0x6fb4a:$b: ClientPlugin
      Click to see the 65 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      36.2.dhcpmon.exe.40d0614.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      36.2.dhcpmon.exe.40d0614.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      36.2.dhcpmon.exe.40d0614.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        36.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        36.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        Click to see the 134 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\oGZg708edu.exe, ProcessId: 4404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\oGZg708edu.exe, ProcessId: 4404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\oGZg708edu.exe, ProcessId: 4404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\oGZg708edu.exe, ProcessId: 4404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: microsoftsecurity.sytes.netVirustotal: Detection: 8%Perma Link
        Source: backupnew.duckdns.orgVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 52%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 81%
        Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeReversingLabs: Detection: 81%
        Multi AV Scanner detection for submitted fileShow sources
        Source: oGZg708edu.exeVirustotal: Detection: 52%Perma Link
        Source: oGZg708edu.exeReversingLabs: Detection: 81%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4204c3d.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e94c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b44c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d4c3d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bc75a1.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bd37d5.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.473767841.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTR
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: oGZg708edu.exeJoe Sandbox ML: detected
        Source: 36.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.2.oGZg708edu.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 33.2.oGZg708edu.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 40.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: oGZg708edu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: oGZg708edu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 20.197.234.75:1177
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 20.197.234.75:1177
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: backupnew.duckdns.org
        Source: Malware configuration extractorURLs: microsoftsecurity.sytes.net
        Source: global trafficTCP traffic: 192.168.2.3:49731 -> 20.197.234.75:1177
        Source: unknownDNS traffic detected: queries for: microsoftsecurity.sytes.net
        Source: oGZg708edu.exeString found in binary or memory: http://douglasheriot.com/uno/
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: oGZg708edu.exe, 00000001.00000002.296057400.0000000003161000.00000004.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.393602382.0000000002E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.401094970.00000000030F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: oGZg708edu.exe, 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4204c3d.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e94c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b44c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d4c3d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bc75a1.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bd37d5.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.473767841.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 36.2.dhcpmon.exe.40d0614.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 40.2.dhcpmon.exe.3b40614.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.3256348.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.3256348.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 36.2.dhcpmon.exe.30e9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.3241d0c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.4cedd48.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4bd37d5.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 33.2.oGZg708edu.exe.2ea956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 40.2.dhcpmon.exe.2b59684.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4204c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.31ddd0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 33.2.oGZg708edu.exe.3e94c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4200614.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 40.2.dhcpmon.exe.3b40614.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.3235ac4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 36.2.dhcpmon.exe.40d0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 40.2.dhcpmon.exe.3b44c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.3235ac4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 33.2.oGZg708edu.exe.3e90614.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 33.2.oGZg708edu.exe.3e90614.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 36.2.dhcpmon.exe.40d4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4bc75a1.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.4200614.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.3241d0c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.3241d0c.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.4bc75a1.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.oGZg708edu.exe.4bd37d5.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_015D7E79
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_015DD424
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07779610
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07774B00
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_0777A240
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07774230
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07776220
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07779FE0
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07779600
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07773EE8
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_0777E698
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_0777A510
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_0777A503
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_0777A237
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07870FC8
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07875658
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_078788A0
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07870040
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07872F88
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07875B90
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07872F98
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07870FB8
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07877308
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_078772F9
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07873600
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07873610
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07875648
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_0787158B
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07874DA2
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_078731A8
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_078731B8
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07874DE5
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07874D00
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07876080
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07874CFB
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07870007
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07871C03
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07873400
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07873410
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07876071
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 17_2_0182E480
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 17_2_0182E471
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 17_2_0182BBD4
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_02C87E79
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_02C8D424
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_02C83D61
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_0866F030
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_0866FB48
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_0866FB37
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_015A7E88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_015AD424
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_015A7E79
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_056C1AC0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_056C0040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_056C0007
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_056C1AB1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072C957B
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072C9588
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072CA478
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072CA488
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072C6220
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072C4230
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072CA1AB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072CA1B8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072C9F58
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072C3EE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072C4B00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_01957E79
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_0195D424
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075E9588
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075E4B00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075E4230
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075E6220
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075EA1B8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075E9F58
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075E3EE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075E957A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075EA478
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075EE4F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075EA488
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_075EA1AA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C0FC8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C5658
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C0040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C88A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C0FB8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C2F88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C0F83
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C2F98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C5648
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C3600
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C3610
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C4D00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C4DE5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C4DA2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C3400
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C3410
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C4CFB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C7308
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C5B90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C72F9
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C31A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C31B8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C6071
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C0007
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C6080
        Source: oGZg708edu.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: eBopYzBwUYOW.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: oGZg708edu.exe, 00000001.00000002.302226717.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000001.00000002.302226717.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000001.00000002.302037801.0000000007890000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000001.00000002.302153351.0000000007A60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000001.00000002.301760086.0000000007600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000001.00000002.296528512.000000000343F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs oGZg708edu.exe
        Source: oGZg708edu.exe, 0000000F.00000002.292553249.0000000000236000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000010.00000000.293364718.00000000001D6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.472288552.00000000014D8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.470512364.0000000000ED6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000015.00000002.404705488.0000000007380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000015.00000002.406219289.00000000089D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000015.00000002.394090536.000000000316F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000015.00000000.302220558.0000000000B76000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000015.00000002.406765857.000000000E6B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000015.00000002.405049376.00000000086C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000015.00000002.405049376.00000000086C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000020.00000002.390728214.00000000001C6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000021.00000002.411357659.0000000000B46000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs oGZg708edu.exe
        Source: oGZg708edu.exe, 00000021.00000002.411913110.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs oGZg708edu.exe
        Source: oGZg708edu.exeBinary or memory string: OriginalFilenameIpTl.exe( vs oGZg708edu.exe
        Source: oGZg708edu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 36.2.dhcpmon.exe.40d0614.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 36.2.dhcpmon.exe.40d0614.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 40.2.dhcpmon.exe.3b40614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 40.2.dhcpmon.exe.3b40614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.3256348.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.3256348.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 36.2.dhcpmon.exe.30e9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 36.2.dhcpmon.exe.30e9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.3241d0c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.3241d0c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.4cedd48.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4cedd48.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4bd37d5.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4bd37d5.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 33.2.oGZg708edu.exe.2ea956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 33.2.oGZg708edu.exe.2ea956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 40.2.dhcpmon.exe.2b59684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 40.2.dhcpmon.exe.2b59684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4204c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4204c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.31ddd0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.31ddd0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 33.2.oGZg708edu.exe.3e94c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 33.2.oGZg708edu.exe.3e94c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4200614.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4200614.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 40.2.dhcpmon.exe.3b40614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 40.2.dhcpmon.exe.3b40614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.3235ac4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 36.2.dhcpmon.exe.40d0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 36.2.dhcpmon.exe.40d0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 40.2.dhcpmon.exe.3b44c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 40.2.dhcpmon.exe.3b44c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.3235ac4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.3235ac4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 33.2.oGZg708edu.exe.3e90614.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 33.2.oGZg708edu.exe.3e90614.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 33.2.oGZg708edu.exe.3e90614.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 33.2.oGZg708edu.exe.3e90614.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 36.2.dhcpmon.exe.40d4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 36.2.dhcpmon.exe.40d4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4bc75a1.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4bc75a1.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.4200614.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4200614.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.3241d0c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.3241d0c.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.4bc75a1.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.oGZg708edu.exe.4bd37d5.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: oGZg708edu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: eBopYzBwUYOW.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.17.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 40.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 40.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@36/17@12/2
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJump to behavior
        Source: C:\Users\user\Desktop\oGZg708edu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f0d143be-967c-4293-98d3-3a1e128b5398}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3032:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_01
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCB9C.tmpJump to behavior
        Source: oGZg708edu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\oGZg708edu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\oGZg708edu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\oGZg708edu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\oGZg708edu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\oGZg708edu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: oGZg708edu.exeVirustotal: Detection: 52%
        Source: oGZg708edu.exeReversingLabs: Detection: 81%
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile read: C:\Users\user\Desktop\oGZg708edu.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\oGZg708edu.exe 'C:\Users\user\Desktop\oGZg708edu.exe'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpCB9C.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEB6.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE241.tmp'
        Source: unknownProcess created: C:\Users\user\Desktop\oGZg708edu.exe C:\Users\user\Desktop\oGZg708edu.exe 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp7633.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp990D.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpCB9C.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEB6.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE241.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp7633.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp990D.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: oGZg708edu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: oGZg708edu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 40.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 40.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_00D085A5 push edx; iretd
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_00D04664 push dword ptr [edx+ebx*2+20h]; ret
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_015DFDD8 push 08057BCFh; iretd
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_0777C2C8 push eax; retf
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_07871870 pushad ; iretd
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 15_2_00174664 push dword ptr [edx+ebx*2+20h]; ret
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 15_2_001785A5 push edx; iretd
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 16_2_00114664 push dword ptr [edx+ebx*2+20h]; ret
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 16_2_001185A5 push edx; iretd
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 17_2_00E185A5 push edx; iretd
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 17_2_00E14664 push dword ptr [edx+ebx*2+20h]; ret
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_00AB85A5 push edx; iretd
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_00AB4664 push dword ptr [edx+ebx*2+20h]; ret
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_058E24C0 push ecx; ret
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 21_2_0866BE28 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00CD85A5 push edx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00CD4664 push dword ptr [edx+ebx*2+20h]; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_056C806D pushad ; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_056C8A30 push C58FBA62h; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_072CE885 push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_00DF85A5 push edx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_00DF4664 push dword ptr [edx+ebx*2+20h]; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_076C1870 pushad ; iretd
        Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
        Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
        Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 17.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 33.2.oGZg708edu.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 36.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 40.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 40.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpCB9C.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\oGZg708edu.exeFile opened: C:\Users\user\Desktop\oGZg708edu.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.296057400.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.401094970.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.393602382.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 492, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3440, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4744, type: MEMORYSTR
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: oGZg708edu.exe, 00000001.00000002.296057400.0000000003161000.00000004.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.393602382.0000000002E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.401094970.00000000030F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: oGZg708edu.exe, 00000001.00000002.296057400.0000000003161000.00000004.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.393602382.0000000002E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.401094970.00000000030F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\oGZg708edu.exeWindow / User API: threadDelayed 1548
        Source: C:\Users\user\Desktop\oGZg708edu.exeWindow / User API: threadDelayed 7783
        Source: C:\Users\user\Desktop\oGZg708edu.exeWindow / User API: foregroundWindowGot 411
        Source: C:\Users\user\Desktop\oGZg708edu.exeWindow / User API: foregroundWindowGot 505
        Source: C:\Users\user\Desktop\oGZg708edu.exe TID: 3704Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\oGZg708edu.exe TID: 2484Thread sleep time: -12912720851596678s >= -30000s
        Source: C:\Users\user\Desktop\oGZg708edu.exe TID: 5540Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5960Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 400Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\oGZg708edu.exe TID: 5356Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5904Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2336Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\oGZg708edu.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 00000018.00000002.408907435.0000000001550000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000018.00000002.408907435.0000000001550000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareSGF24SROWin32_VideoController1SYFR7HUVideoController120060621000000.000000-0004484.389display.infMSBDACYMCPLUCPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors8XF6LZS2
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: oGZg708edu.exe, 00000011.00000002.472701749.0000000001575000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllIY
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: oGZg708edu.exe, 00000015.00000002.405848354.00000000088E0000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareSGF24SROWin32_VideoController1SYFR7HUVideoController120060621000000.000000-0004484.389display.infMSBDACYMCPLUCPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors8XF6LZS2t
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
        Source: dhcpmon.exe, 00000018.00000002.408907435.0000000001550000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareSGF24SROWin32_VideoController1SYFR7HUVideoController120060621000000.000000-0004484.389display.infMSBDACYMCPLUCPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA0
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\oGZg708edu.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\oGZg708edu.exeMemory written: C:\Users\user\Desktop\oGZg708edu.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\oGZg708edu.exeMemory written: C:\Users\user\Desktop\oGZg708edu.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpCB9C.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEB6.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE241.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp7633.tmp'
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Users\user\Desktop\oGZg708edu.exeProcess created: C:\Users\user\Desktop\oGZg708edu.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp990D.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: oGZg708edu.exe, 00000011.00000002.478085438.00000000036BA000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa1lh
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: oGZg708edu.exe, 00000011.00000002.473272369.0000000001BE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: oGZg708edu.exe, 00000011.00000002.473272369.0000000001BE0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: oGZg708edu.exe, 00000011.00000002.478382893.00000000037F4000.00000004.00000001.sdmpBinary or memory string: Program Manager|*
        Source: oGZg708edu.exe, 00000011.00000002.473272369.0000000001BE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Users\user\Desktop\oGZg708edu.exe VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Users\user\Desktop\oGZg708edu.exe VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Users\user\Desktop\oGZg708edu.exe VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Users\user\Desktop\oGZg708edu.exe VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\oGZg708edu.exeCode function: 1_2_077790D8 GetUserNameA,
        Source: C:\Users\user\Desktop\oGZg708edu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\oGZg708edu.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4204c3d.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e94c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b44c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d4c3d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bc75a1.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bd37d5.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.473767841.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: oGZg708edu.exe, 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: oGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: oGZg708edu.exe, 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: oGZg708edu.exe, 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: oGZg708edu.exe, 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40cb7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cf2371.14.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.oGZg708edu.exe.4169930.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b3b7de.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4204c3d.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e8b7de.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e94c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b40614.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d0614.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.40f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.3b44c3d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.41fb7de.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.oGZg708edu.exe.3e90614.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 40.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.dhcpmon.exe.40d4c3d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 24.2.dhcpmon.exe.42f9930.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4200614.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4be7e02.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bc75a1.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4ce8f12.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4cedd48.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.oGZg708edu.exe.4bd37d5.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.oGZg708edu.exe.3e99930.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.473767841.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 3152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 4404, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: oGZg708edu.exe PID: 5252, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5348, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6100, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation11Scheduled Task/Job1Process Injection112Masquerading2Input Capture11Security Software Discovery321Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458234 Sample: oGZg708edu.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 69 microsoftsecurity.sytes.net 2->69 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Found malware configuration 2->79 81 13 other signatures 2->81 9 oGZg708edu.exe 6 2->9         started        13 oGZg708edu.exe 4 2->13         started        16 dhcpmon.exe 5 2->16         started        18 dhcpmon.exe 2->18         started        signatures3 process4 dnsIp5 63 C:\Users\user\AppData\...\eBopYzBwUYOW.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\Local\...\tmpCB9C.tmp, XML 9->65 dropped 67 C:\Users\user\AppData\...\oGZg708edu.exe.log, ASCII 9->67 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 9->87 89 Injects a PE file into a foreign processes 9->89 20 oGZg708edu.exe 1 16 9->20         started        25 schtasks.exe 1 9->25         started        37 2 other processes 9->37 73 192.168.2.1 unknown unknown 13->73 27 schtasks.exe 13->27         started        39 2 other processes 13->39 29 schtasks.exe 16->29         started        31 dhcpmon.exe 16->31         started        33 schtasks.exe 18->33         started        35 dhcpmon.exe 18->35         started        file6 signatures7 process8 dnsIp9 71 microsoftsecurity.sytes.net 20.197.234.75, 1177, 49731, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->71 57 C:\Program Files (x86)\...\dhcpmon.exe, PE32 20->57 dropped 59 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 20->59 dropped 61 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 20->61 dropped 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->83 41 schtasks.exe 1 20->41         started        43 schtasks.exe 1 20->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 33->51         started        file10 signatures11 process12 process13 53 conhost.exe 41->53         started        55 conhost.exe 43->55         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        oGZg708edu.exe53%VirustotalBrowse
        oGZg708edu.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        oGZg708edu.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe53%VirustotalBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        36.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        17.2.oGZg708edu.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        33.2.oGZg708edu.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        40.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        microsoftsecurity.sytes.net9%VirustotalBrowse
        microsoftsecurity.sytes.net0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        backupnew.duckdns.org9%VirustotalBrowse
        backupnew.duckdns.org0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://douglasheriot.com/uno/0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        microsoftsecurity.sytes.net
        		20.197.234.75
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          microsoftsecurity.sytes.nettrue
          • 9%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          backupnew.duckdns.orgtrue
          • 9%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.comoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                    		high
                    http://www.tiro.comdhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersdhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.kroGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://google.comoGZg708edu.exe, 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comloGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmloGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                            		high
                            http://douglasheriot.com/uno/oGZg708edu.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8oGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fonts.comoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.kroGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameoGZg708edu.exe, 00000001.00000002.296057400.0000000003161000.00000004.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.393602382.0000000002E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.401094970.00000000030F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sakkal.comoGZg708edu.exe, 00000001.00000002.300552676.0000000006100000.00000002.00000001.sdmp, oGZg708edu.exe, 00000015.00000002.403001244.0000000005DF0000.00000002.00000001.sdmp, dhcpmon.exe, 00000017.00000002.410679523.0000000006130000.00000002.00000001.sdmp, dhcpmon.exe, 00000018.00000002.420027552.0000000006360000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  20.197.234.75
                                  		microsoftsecurity.sytes.netUnited States
                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:458234
                                  Start date:03.08.2021
                                  Start time:04:17:10
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 13m 5s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:oGZg708edu.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:43
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@36/17@12/2
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 1.2% (good quality ratio 0.8%)
                                  • Quality average: 40.2%
                                  • Quality standard deviation: 36.8%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • TCP Packets have been reduced to 100
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.255.188.83, 20.82.209.183, 23.211.4.86, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154
                                  • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:18:44Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\oGZg708edu.exe" s>$(Arg0)
                                  04:18:44AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  04:18:45API Interceptor673x Sleep call for process: oGZg708edu.exe modified
                                  04:18:47Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):840192
                                  Entropy (8bit):7.166906857781212
                                  Encrypted:false
                                  SSDEEP:24576:x+J70cLvBwP+8oUSmntIV+60wST8OQpiy:xK70qvFISLZ5I3
                                  MD5:A12A9C428510A3EE87C68078C3633F69
                                  SHA1:FF6C453D63FAF3D63ECD17E172E9E8601478911B
                                  SHA-256:639D614A07D34139806093F8C24190E1DE1E463620B4C852AB0F5A089029F6A6
                                  SHA-512:3791BD990B51F6B511597F02A95E0D1459BCE7E9835171071132D9C48F4390F2C2AD354BD780D97D947DF288B1E2FC2AFA815BB89CA83B31B68D4A710D8A2C11
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: Virustotal, Detection: 53%, Browse
                                  • Antivirus: ReversingLabs, Detection: 81%
                                  Reputation:unknown
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...X......^.... ........@.. ....................... ............@.....................................O........T........................................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc....T.......V...z..............@..@.reloc..............................@..B................@.......H......................0...._...........................................0..........*....0..............s....(.....*.0...........(.....*.0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}....*.0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}....*....0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.*....0..
                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: [ZoneTransfer]....ZoneId=0
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1308
                                  Entropy (8bit):5.345811588615766
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oGZg708edu.exe.log
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1308
                                  Entropy (8bit):5.345811588615766
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                  MD5:2E016B886BDB8389D2DD0867BE55F87B
                                  SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                  SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                  SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                  C:\Users\user\AppData\Local\Temp\tmp7633.tmp
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1645
                                  Entropy (8bit):5.197051255242617
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
                                  MD5:F100F4090A302E04A4E5584333049320
                                  SHA1:69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
                                  SHA-256:A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
                                  SHA-512:CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                  C:\Users\user\AppData\Local\Temp\tmp8650.tmp
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1645
                                  Entropy (8bit):5.197051255242617
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
                                  MD5:F100F4090A302E04A4E5584333049320
                                  SHA1:69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
                                  SHA-256:A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
                                  SHA-512:CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                  C:\Users\user\AppData\Local\Temp\tmp990D.tmp
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1645
                                  Entropy (8bit):5.197051255242617
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
                                  MD5:F100F4090A302E04A4E5584333049320
                                  SHA1:69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
                                  SHA-256:A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
                                  SHA-512:CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                  C:\Users\user\AppData\Local\Temp\tmpCB9C.tmp
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1645
                                  Entropy (8bit):5.197051255242617
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
                                  MD5:F100F4090A302E04A4E5584333049320
                                  SHA1:69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
                                  SHA-256:A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
                                  SHA-512:CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                  C:\Users\user\AppData\Local\Temp\tmpDEB6.tmp
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1300
                                  Entropy (8bit):5.116011525193795
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Sxtn:cbk4oL600QydbQxIYODOLedq39j
                                  MD5:A4616A9969F52416137AF93B0850A147
                                  SHA1:87249D767458390015CEAE9F0E15282C9E7D1552
                                  SHA-256:6EF2344883ECD186A5F7AFC53284B605FC0BD9E01D5A7F149ED3C50BEB03AC78
                                  SHA-512:3716BF79E3D160E1140A345F72A81E935F5284C83C33F2E114D01F97F53E4EC8DCC6E96E93796FBFE8828F1AF05CF9E13D2FABF1E96F77862D2F6A198EF976F9
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Local\Temp\tmpE241.tmp
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1310
                                  Entropy (8bit):5.109425792877704
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1624
                                  Entropy (8bit):7.089541637477408
                                  Encrypted:false
                                  SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhL
                                  MD5:74AACAE24C76D8BE7578A460BAE23521
                                  SHA1:523B694F22C1E962B7234BE9637DA09060CFB0C1
                                  SHA-256:2EFF42A56A82D1EB8E689FE73F5471B111FA17F1ECF72B90A731B59AFF691BFB
                                  SHA-512:5D715F8D14841552E280A9A5A5F749B23EEEBE713F7E95B288D921982800F2AB1FAAFDA67E420F28D882BF5904799E6BE62D4CAE451507FFB5EC3631B5D11FF6
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:ISO-8859 text, with no line terminators
                                  Category:dropped
                                  Size (bytes):8
                                  Entropy (8bit):3.0
                                  Encrypted:false
                                  SSDEEP:3:nV4:nu
                                  MD5:D15DECD1081B46827663AF9CF4EACEE8
                                  SHA1:90EAA0C7BF0E4A3DAF1162DA6E6D4AA40F36D7E5
                                  SHA-256:01E59B5DB6B8A084D8E868E1B1A3BDC02930E3A4D1F4CA6BA6B92D5D8F19E262
                                  SHA-512:2462E2F3F8EF9AF4A7F828E3E3D94C93BCA6D9E809979B7A24EBFDCC9749C4E4488ECF09EE290BD3ABD05AA6E1EE687DDCB098582ABAB8ED098CCB7B609BD663
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: B..spV.H
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):24
                                  Entropy (8bit):4.501629167387823
                                  Encrypted:false
                                  SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                  MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                  SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                  SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                  SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 9iH...}Z.4..f..J".C;"a
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):64
                                  Entropy (8bit):5.320159765557392
                                  Encrypted:false
                                  SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                  MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                  SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                  SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                  SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):327768
                                  Entropy (8bit):7.999367066417797
                                  Encrypted:true
                                  SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                  MD5:2E52F446105FBF828E63CF808B721F9C
                                  SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                  SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                  SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):37
                                  Entropy (8bit):4.3887904473424575
                                  Encrypted:false
                                  SSDEEP:3:oNWXp5vKcx1Nn:oNWXpFKUn
                                  MD5:EC481BDB5F700B5C4C9976C193C5C9D0
                                  SHA1:4B244ECDB1AE925A6B5D61AE68F5069F6438D03B
                                  SHA-256:0923133BA507F2D574D794913F1BBC700DDECFA6C5F834853B39B52DF8B8C223
                                  SHA-512:E7AB69E5A1C843A6EF3B878394A9E5198A61851761095F64F89ABC2FFF5852B5745262ECD6FA5C263F112643111FF08AC7EC9BE296DE5C7C2BCA4C3F1A8ABF9D
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: C:\Users\user\Desktop\oGZg708edu.exe
                                  C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe
                                  Process:C:\Users\user\Desktop\oGZg708edu.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):840192
                                  Entropy (8bit):7.166906857781212
                                  Encrypted:false
                                  SSDEEP:24576:x+J70cLvBwP+8oUSmntIV+60wST8OQpiy:xK70qvFISLZ5I3
                                  MD5:A12A9C428510A3EE87C68078C3633F69
                                  SHA1:FF6C453D63FAF3D63ECD17E172E9E8601478911B
                                  SHA-256:639D614A07D34139806093F8C24190E1DE1E463620B4C852AB0F5A089029F6A6
                                  SHA-512:3791BD990B51F6B511597F02A95E0D1459BCE7E9835171071132D9C48F4390F2C2AD354BD780D97D947DF288B1E2FC2AFA815BB89CA83B31B68D4A710D8A2C11
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 81%
                                  Reputation:unknown
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...X......^.... ........@.. ....................... ............@.....................................O........T........................................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc....T.......V...z..............@..@.reloc..............................@..B................@.......H......................0...._...........................................0..........*....0..............s....(.....*.0...........(.....*.0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}....*.0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}....*....0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.*....0..

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.166906857781212
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:oGZg708edu.exe
                                  File size:840192
                                  MD5:a12a9c428510a3ee87c68078c3633f69
                                  SHA1:ff6c453d63faf3d63ecd17e172e9e8601478911b
                                  SHA256:639d614a07d34139806093f8c24190e1de1e463620b4c852ab0f5a089029f6a6
                                  SHA512:3791bd990b51f6b511597f02a95e0d1459bce7e9835171071132d9c48f4390f2c2ad354bd780d97d947df288b1e2fc2afa815bb89ca83b31b68d4a710d8a2c11
                                  SSDEEP:24576:x+J70cLvBwP+8oUSmntIV+60wST8OQpiy:xK70qvFISLZ5I3
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...X......^.... ........@.. ....................... ............@................................

                                  File Icon

                                  Icon Hash:00e87160ec8e11c4

                                  Static PE Info

                                  General

                                  Entrypoint:0x4a975e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x60FF5D0A [Tue Jul 27 01:10:34 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa970c0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x25480.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xa77640xa7800False0.768110132929data7.50200224495IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0xaa0000x254800x25600False0.499973871237data5.05166248803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xd00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0xaa1d80xca21PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                  RT_ICON0xb6bfc0x10828dBase III DBT, version number 0, next free block index 40
                                  RT_ICON0xc74240x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xcb64c0x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xcdbf40x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0xcec9c0x468GLS_BINARY_LSB_FIRST
                                  RT_GROUP_ICON0xcf1040x5adata
                                  RT_VERSION0xcf1600x320data

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright 2010 - 2021
                                  Assembly Version1.0.0.0
                                  InternalNameIpTl.exe
                                  FileVersion1.0.0.0
                                  CompanyNameDouglas Heriot
                                  LegalTrademarks
                                  Comments
                                  ProductNameUno
                                  ProductVersion1.0.0.0
                                  FileDescriptionUno
                                  OriginalFilenameIpTl.exe

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  08/03/21-04:18:47.741441TCP2025019ET TROJAN Possible NanoCore C2 60B497311177192.168.2.320.197.234.75
                                  08/03/21-04:18:54.505511TCP2025019ET TROJAN Possible NanoCore C2 60B497321177192.168.2.320.197.234.75
                                  08/03/21-04:18:59.595151TCP2025019ET TROJAN Possible NanoCore C2 60B497361177192.168.2.320.197.234.75
                                  08/03/21-04:19:07.000289TCP2025019ET TROJAN Possible NanoCore C2 60B497421177192.168.2.320.197.234.75
                                  08/03/21-04:19:14.314203TCP2025019ET TROJAN Possible NanoCore C2 60B497431177192.168.2.320.197.234.75
                                  08/03/21-04:19:21.157290TCP2025019ET TROJAN Possible NanoCore C2 60B497441177192.168.2.320.197.234.75
                                  08/03/21-04:19:28.704182TCP2025019ET TROJAN Possible NanoCore C2 60B497451177192.168.2.320.197.234.75
                                  08/03/21-04:19:35.693482TCP2025019ET TROJAN Possible NanoCore C2 60B497471177192.168.2.320.197.234.75
                                  08/03/21-04:19:43.223929TCP2025019ET TROJAN Possible NanoCore C2 60B497491177192.168.2.320.197.234.75
                                  08/03/21-04:19:50.131484TCP2025019ET TROJAN Possible NanoCore C2 60B497501177192.168.2.320.197.234.75
                                  08/03/21-04:19:57.336641TCP2025019ET TROJAN Possible NanoCore C2 60B497511177192.168.2.320.197.234.75
                                  08/03/21-04:20:04.126786TCP2025019ET TROJAN Possible NanoCore C2 60B497521177192.168.2.320.197.234.75

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 3, 2021 04:18:47.428006887 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:47.634021044 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:47.634926081 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:47.741441011 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:47.961030006 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:47.968416929 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.174418926 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.174535990 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.424797058 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.425071001 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.674581051 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688334942 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688385963 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688432932 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688462973 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.688474894 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688512087 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688549995 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688582897 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.688587904 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688608885 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.688622952 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688661098 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688698053 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.688726902 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.688754082 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894205093 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894274950 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894321918 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894360065 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894393921 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894397020 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894423008 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894443989 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894485950 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894504070 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894526005 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894576073 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894588947 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894613981 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894653082 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894675970 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894699097 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894737005 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894754887 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894783020 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894836903 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894844055 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894893885 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894937992 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.894953966 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.894973993 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.895009041 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.895037889 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.895049095 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:48.895101070 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:48.994882107 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.100744009 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.100847960 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.100874901 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101007938 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101028919 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101099968 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101140976 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101140976 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101187944 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101233006 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101236105 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101273060 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101279020 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101303101 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101313114 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101346016 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101352930 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101387978 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101409912 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101458073 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101499081 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101500034 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101557970 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101594925 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101615906 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101640940 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101660967 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101715088 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101718903 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101772070 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101773977 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101783991 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101811886 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101843119 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101849079 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101861000 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101886988 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101943970 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.101969004 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.101994038 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.102025032 CEST497311177192.168.2.320.197.234.75
                                  Aug 3, 2021 04:18:49.102030993 CEST11774973120.197.234.75192.168.2.3
                                  Aug 3, 2021 04:18:49.102051020 CEST497311177192.168.2.320.197.234.75

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 3, 2021 04:17:52.088632107 CEST6493853192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:52.114346981 CEST53649388.8.8.8192.168.2.3
                                  Aug 3, 2021 04:17:53.150511026 CEST6015253192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:53.183357000 CEST53601528.8.8.8192.168.2.3
                                  Aug 3, 2021 04:17:53.803339005 CEST5754453192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:53.830868006 CEST53575448.8.8.8192.168.2.3
                                  Aug 3, 2021 04:17:54.764239073 CEST5598453192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:54.788721085 CEST53559848.8.8.8192.168.2.3
                                  Aug 3, 2021 04:17:56.619488955 CEST6418553192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:56.653001070 CEST53641858.8.8.8192.168.2.3
                                  Aug 3, 2021 04:17:57.710690975 CEST6511053192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:57.742968082 CEST53651108.8.8.8192.168.2.3
                                  Aug 3, 2021 04:17:58.338320971 CEST5836153192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:58.370775938 CEST53583618.8.8.8192.168.2.3
                                  Aug 3, 2021 04:17:58.966063023 CEST6349253192.168.2.38.8.8.8
                                  Aug 3, 2021 04:17:58.999913931 CEST53634928.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:00.754415989 CEST6083153192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:00.779512882 CEST53608318.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:01.833667040 CEST6010053192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:01.858706951 CEST53601008.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:02.496220112 CEST5319553192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:02.521255970 CEST53531958.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:03.147874117 CEST5014153192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:03.175415993 CEST53501418.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:03.883287907 CEST5302353192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:03.910780907 CEST53530238.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:04.882335901 CEST4956353192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:04.918351889 CEST53495638.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:06.022429943 CEST5135253192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:06.049812078 CEST53513528.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:07.920471907 CEST5934953192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:07.946546078 CEST53593498.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:08.563596964 CEST5708453192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:08.596349001 CEST53570848.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:23.118683100 CEST5882353192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:23.169028044 CEST53588238.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:27.638206005 CEST5756853192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:27.675611973 CEST53575688.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:39.257766008 CEST5054053192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:39.308955908 CEST53505408.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:47.383886099 CEST5436653192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:47.418164968 CEST53543668.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:54.262795925 CEST5303453192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:54.295703888 CEST53530348.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:57.658648014 CEST5776253192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:57.694359064 CEST53577628.8.8.8192.168.2.3
                                  Aug 3, 2021 04:18:59.348112106 CEST5543553192.168.2.38.8.8.8
                                  Aug 3, 2021 04:18:59.383363962 CEST53554358.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:01.128421068 CEST5071353192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:01.169559956 CEST53507138.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:06.734199047 CEST5613253192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:06.769438028 CEST53561328.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:14.065514088 CEST5898753192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:14.101072073 CEST53589878.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:20.914865017 CEST5657953192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:20.949115038 CEST53565798.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:28.460050106 CEST6063353192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:28.492324114 CEST53606338.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:34.428443909 CEST6129253192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:34.475836039 CEST53612928.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:35.175431013 CEST6361953192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:35.210721970 CEST53636198.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:37.497499943 CEST6493853192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:37.530338049 CEST53649388.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:42.992228985 CEST6194653192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:43.016822100 CEST53619468.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:49.874043941 CEST6491053192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:49.908018112 CEST53649108.8.8.8192.168.2.3
                                  Aug 3, 2021 04:19:57.053425074 CEST5212353192.168.2.38.8.8.8
                                  Aug 3, 2021 04:19:57.086298943 CEST53521238.8.8.8192.168.2.3
                                  Aug 3, 2021 04:20:03.876873016 CEST5613053192.168.2.38.8.8.8
                                  Aug 3, 2021 04:20:03.915702105 CEST53561308.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Aug 3, 2021 04:18:47.383886099 CEST192.168.2.38.8.8.80x461dStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:18:54.262795925 CEST192.168.2.38.8.8.80xec25Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:18:59.348112106 CEST192.168.2.38.8.8.80x32bfStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:06.734199047 CEST192.168.2.38.8.8.80x176dStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:14.065514088 CEST192.168.2.38.8.8.80x778Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:20.914865017 CEST192.168.2.38.8.8.80x5041Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:28.460050106 CEST192.168.2.38.8.8.80x756Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:35.175431013 CEST192.168.2.38.8.8.80xcfdbStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:42.992228985 CEST192.168.2.38.8.8.80xe000Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:49.874043941 CEST192.168.2.38.8.8.80xcaa1Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:57.053425074 CEST192.168.2.38.8.8.80xcc57Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                  Aug 3, 2021 04:20:03.876873016 CEST192.168.2.38.8.8.80xbdbcStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Aug 3, 2021 04:18:47.418164968 CEST8.8.8.8192.168.2.30x461dNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:18:54.295703888 CEST8.8.8.8192.168.2.30xec25No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:18:59.383363962 CEST8.8.8.8192.168.2.30x32bfNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:06.769438028 CEST8.8.8.8192.168.2.30x176dNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:14.101072073 CEST8.8.8.8192.168.2.30x778No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:20.949115038 CEST8.8.8.8192.168.2.30x5041No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:28.492324114 CEST8.8.8.8192.168.2.30x756No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:35.210721970 CEST8.8.8.8192.168.2.30xcfdbNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:43.016822100 CEST8.8.8.8192.168.2.30xe000No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:49.908018112 CEST8.8.8.8192.168.2.30xcaa1No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:19:57.086298943 CEST8.8.8.8192.168.2.30xcc57No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                  Aug 3, 2021 04:20:03.915702105 CEST8.8.8.8192.168.2.30xbdbcNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: oGZg708edu.exe PID: 3152 Parent PID: 5680

                                  General

                                  Start time:04:17:58
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\oGZg708edu.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\oGZg708edu.exe'
                                  Imagebase:0xd00000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.296057400.0000000003161000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.297604330.0000000004260000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.297034302.0000000004169000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 4948 Parent PID: 3152

                                  General

                                  Start time:04:18:39
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpCB9C.tmp'
                                  Imagebase:0xa30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 1968 Parent PID: 4948

                                  General

                                  Start time:04:18:39
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: oGZg708edu.exe PID: 2000 Parent PID: 3152

                                  General

                                  Start time:04:18:40
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\oGZg708edu.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x170000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  Analysis Process: oGZg708edu.exe PID: 5424 Parent PID: 3152

                                  General

                                  Start time:04:18:40
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\oGZg708edu.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x110000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  Analysis Process: oGZg708edu.exe PID: 4404 Parent PID: 3152

                                  General

                                  Start time:04:18:41
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\oGZg708edu.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xe10000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.469053932.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.474117189.000000000321E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.479023933.0000000004CE8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.473767841.00000000031B1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.478473398.00000000041B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.478830783.0000000004B18000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 3156 Parent PID: 4404

                                  General

                                  Start time:04:18:43
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEB6.tmp'
                                  Imagebase:0xa30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 4276 Parent PID: 3156

                                  General

                                  Start time:04:18:43
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: schtasks.exe PID: 3596 Parent PID: 4404

                                  General

                                  Start time:04:18:44
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE241.tmp'
                                  Imagebase:0xa30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: oGZg708edu.exe PID: 492 Parent PID: 528

                                  General

                                  Start time:04:18:44
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\oGZg708edu.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\oGZg708edu.exe 0
                                  Imagebase:0xab0000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.395101501.0000000003E99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000015.00000002.393602382.0000000002E91000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Analysis Process: conhost.exe PID: 3292 Parent PID: 3596

                                  General

                                  Start time:04:18:44
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: dhcpmon.exe PID: 3440 Parent PID: 528

                                  General

                                  Start time:04:18:47
                                  Start date:03/08/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                  Imagebase:0xcd0000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.401094970.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.404321195.00000000040F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 53%, Virustotal, Browse
                                  • Detection: 81%, ReversingLabs
                                  Reputation:low

                                  Analysis Process: dhcpmon.exe PID: 4744 Parent PID: 3388

                                  General

                                  Start time:04:18:52
                                  Start date:03/08/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                  Imagebase:0xdf0000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000002.410009096.00000000032F1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.412621241.00000000042F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 5640 Parent PID: 492

                                  General

                                  Start time:04:19:24
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp7633.tmp'
                                  Imagebase:0xa30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 3032 Parent PID: 5640

                                  General

                                  Start time:04:19:24
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: oGZg708edu.exe PID: 5280 Parent PID: 492

                                  General

                                  Start time:04:19:25
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\oGZg708edu.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x100000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  Analysis Process: oGZg708edu.exe PID: 5252 Parent PID: 492

                                  General

                                  Start time:04:19:26
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\oGZg708edu.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xa80000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.411088159.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.412991615.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000021.00000002.412767434.0000000002E41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 5324 Parent PID: 3440

                                  General

                                  Start time:04:19:27
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'
                                  Imagebase:0xa30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 5304 Parent PID: 5324

                                  General

                                  Start time:04:19:28
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: dhcpmon.exe PID: 5348 Parent PID: 3440

                                  General

                                  Start time:04:19:29
                                  Start date:03/08/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xcf0000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000024.00000002.419402447.0000000004089000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000024.00000002.419130064.0000000003081000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000024.00000002.416229254.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                  Analysis Process: schtasks.exe PID: 3260 Parent PID: 4744

                                  General

                                  Start time:04:19:32
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp990D.tmp'
                                  Imagebase:0xa30000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Analysis Process: conhost.exe PID: 2024 Parent PID: 3260

                                  General

                                  Start time:04:19:32
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Analysis Process: dhcpmon.exe PID: 6100 Parent PID: 4744

                                  General

                                  Start time:04:19:33
                                  Start date:03/08/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x670000
                                  File size:840192 bytes
                                  MD5 hash:A12A9C428510A3EE87C68078C3633F69
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000028.00000002.428759376.0000000002AF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000028.00000002.428863955.0000000003AF9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000028.00000002.427422564.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                  Disassembly

                                  Code Analysis

                                  Reset < >