Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report gcsEBQO3BV.exe

Overview

General Information

Sample Name:gcsEBQO3BV.exe
Analysis ID:458901
MD5:008a85f2c1cf538f42f94a7e88ca88c7
SHA1:b7f9e6b4177b88ae459d5aee069f06f1b7ad5485
SHA256:4ee50840eec3ef82a73866bd6f2e00b42789a76f348bef3c01f98124edcef8b8
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gcsEBQO3BV.exe (PID: 6300 cmdline: 'C:\Users\user\Desktop\gcsEBQO3BV.exe' MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 4240 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gcsEBQO3BV.exe (PID: 3484 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • gcsEBQO3BV.exe (PID: 6100 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
      • schtasks.exe (PID: 6416 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6792 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • gcsEBQO3BV.exe (PID: 6664 cmdline: C:\Users\user\Desktop\gcsEBQO3BV.exe 0 MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 6024 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gcsEBQO3BV.exe (PID: 1444 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
  • dhcpmon.exe (PID: 2456 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 6844 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6408 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
  • dhcpmon.exe (PID: 2212 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 6528 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7120 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x5fee:$x1: NanoCore.ClientPluginHost
      • 0x602b:$x2: IClientNetworkHost
      Click to see the 87 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      31.2.dhcpmon.exe.2fd9684.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      31.2.dhcpmon.exe.2fd9684.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      12.2.gcsEBQO3BV.exe.78a0000.26.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3deb:$x1: NanoCore.ClientPluginHost
      • 0x3f48:$x2: IClientNetworkHost
      12.2.gcsEBQO3BV.exe.78a0000.26.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x3deb:$x2: NanoCore.ClientPluginHost
      • 0x4d41:$s3: PipeExists
      • 0x3fe1:$s4: PipeCreated
      • 0x3e05:$s5: IClientLoggingHost
      12.2.gcsEBQO3BV.exe.7880000.24.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x13a8:$x1: NanoCore.ClientPluginHost
      Click to see the 186 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeReversingLabs: Detection: 63%
      Multi AV Scanner detection for submitted fileShow sources
      Source: gcsEBQO3BV.exeVirustotal: Detection: 50%Perma Link
      Source: gcsEBQO3BV.exeReversingLabs: Detection: 63%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: gcsEBQO3BV.exeJoe Sandbox ML: detected
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 34.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpackAvira: Label: TR/NanoCore.fadte
      Source: 31.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: gcsEBQO3BV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: gcsEBQO3BV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 20.197.234.75:1177
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: backupnew.duckdns.org
      Source: Malware configuration extractorURLs: microsoftsecurity.sytes.net
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 20.197.234.75:1177
      Source: unknownDNS traffic detected: queries for: microsoftsecurity.sytes.net
      Source: gcsEBQO3BV.exeString found in binary or memory: http://douglasheriot.com/uno/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: gcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000001.00000003.653601915.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: gcsEBQO3BV.exe, 00000001.00000003.653697369.0000000005BA6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: gcsEBQO3BV.exe, 00000001.00000003.657288065.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: gcsEBQO3BV.exe, 00000001.00000003.661070555.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: gcsEBQO3BV.exe, 00000001.00000003.661019805.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll-nl#
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: gcsEBQO3BV.exe, 00000001.00000003.660976926.0000000005BAB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlion4/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: gcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: gcsEBQO3BV.exe, 00000001.00000003.662751805.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: gcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: gcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.K
      Source: gcsEBQO3BV.exe, 00000001.00000002.752839329.0000000001150000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 31.2.dhcpmon.exe.2fd9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7880000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78fe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78f4c9f.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.43581d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7860000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.2ff9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.434e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.5ce0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.2fe956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.3384ffc.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.918972409.000000000462F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_01127E88
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_0112D424
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_01127E79
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CEC5B0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE4D78
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE5CC8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE47E0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CEDF70
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CEE6F8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE7EB0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE8990
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE5140
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE5908
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE4A50
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE4D67
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE5CB8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CED458
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE6C18
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE6C28
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE47D0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE5130
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E59CE8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E58D98
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E599B0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E59A6E
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07962678
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07963D10
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796C570
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796BCA0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796FA98
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_079610D8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07961DAE
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07964DA8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07961CF0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07964B2E
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07964A70
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796B958
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_01097E79
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0109D424
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_05491AC0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_05490040
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_05490006
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_05491AB1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07093600
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07093610
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07095648
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07095658
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709158A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07093400
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07093410
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07097308
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070972F9
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070931A8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070931B8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709003E
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07090040
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07096071
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07096080
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07092F88
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07090F82
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07092F98
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07090FC8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094D00
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094DA2
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094DE5
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07091C02
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094CFA
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07095B90
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070988A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C5908
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C5130
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C8990
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C4A42
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C5CC8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C4D67
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CC5B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CE6F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C7EB0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CDF70
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C47E0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C3851
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C58F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C4378
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C4369
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C6BF0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CD458
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C6C1A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C6C28
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C5CB8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C47D0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C4781
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA1B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E6220
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E4230
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E4B00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E9588
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA1AB
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EE4F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA488
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA483
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E957B
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E3EE8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E9F58
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A0040
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A88A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A5658
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A0FC8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A6071
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A6021
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A0012
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A3410
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A1C08
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A3400
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4CFF
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A6080
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4D00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4DE5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A31B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A31A8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4DA2
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A5648
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A3610
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A3600
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A72F9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A7308
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A0FB8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A2F98
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A5B90
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A2F88
      Source: gcsEBQO3BV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: eBopYzBwUYOW.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.757219443.0000000002FEF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.773774990.0000000007500000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000000.646123224.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.774077342.0000000007710000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.773588102.00000000073C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.773588102.00000000073C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.772900292.0000000007260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.752839329.0000000001150000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000B.00000000.747103237.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918946745.0000000004622000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000003.757194134.0000000001733000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.921499723.0000000006840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.884753795.00000000088F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.872141291.000000000334F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.883167329.0000000007340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.885887929.000000000E560000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.860365821.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.884529237.00000000088C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.884529237.00000000088C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.864508050.00000000010C8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.882384708.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 31.2.dhcpmon.exe.2fd9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.2fd9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7880000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7880000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78fe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78fe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78f4c9f.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78f4c9f.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.43581d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43581d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7860000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7860000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.2ff9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.2ff9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.434e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.434e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.5ce0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.5ce0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.2fe956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.2fe956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.3384ffc.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.918972409.000000000462F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: gcsEBQO3BV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: eBopYzBwUYOW.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.12.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@32/16@11/2
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4972:120:WilError_01
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f0d143be-967c-4293-98d3-3a1e128b5398}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_01
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1EA2.tmpJump to behavior
      Source: gcsEBQO3BV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: gcsEBQO3BV.exeVirustotal: Detection: 50%
      Source: gcsEBQO3BV.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile read: C:\Users\user\Desktop\gcsEBQO3BV.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe 'C:\Users\user\Desktop\gcsEBQO3BV.exe'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe C:\Users\user\Desktop\gcsEBQO3BV.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: gcsEBQO3BV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: gcsEBQO3BV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_009685A5 push edx; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_00964664 push dword ptr [edx+ebx*2+20h]; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 11_2_003C4664 push dword ptr [edx+ebx*2+20h]; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 11_2_003C85A5 push edx; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_00FA85A5 push edx; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_00FA4664 push dword ptr [edx+ebx*2+20h]; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E526E8 push ebp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E526EB push ebp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52690 push ebp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E527A8 push ebp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52797 push ebp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5273F push ebp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E525F0 push esp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E53549 pushad ; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D2F2 push esi; retf
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D2D5 push esi; retf
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5C250 pushad ; ret
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E53389 pushad ; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52398 push esp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5239B push esp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52347 push ecx; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E521F7 push eax; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52A11 push esi; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E528C8 push esi; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E528B7 push ebp; iretd
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E528BB push ebp; iretd
      Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
      Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
      Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJump to dropped file
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile opened: C:\Users\user\Desktop\gcsEBQO3BV.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6664, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2456, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2212, type: MEMORYSTR
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: gcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: gcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: threadDelayed 4134
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: threadDelayed 4704
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: foregroundWindowGot 409
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: foregroundWindowGot 483
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 6432Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 6908Thread sleep time: -13835058055282155s >= -30000s
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 2820Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2216Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5272Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 6040Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5864Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5908Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: dhcpmon.exe, 00000014.00000002.883754806.0000000000E39000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: gcsEBQO3BV.exe, 00000001.00000002.775365779.0000000008A9A000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware_!
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: dhcpmon.exe, 00000014.00000002.883754806.0000000000E39000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareGSZ33WSPWin32_VideoControllerR7CWK58OVideoController120060621000000.000000-0007033.8.3display.infMSBDAPNES1MC5PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZOMZ185Wd
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: gcsEBQO3BV.exe, 00000001.00000002.775365779.0000000008A9A000.00000004.00000001.sdmpBinary or memory string: VMware_!
      Source: gcsEBQO3BV.exe, 00000001.00000002.775365779.0000000008A9A000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareGSZ33WSPWin32_VideoControllerR7CWK58OVideoController120060621000000.000000-0007033.8.3display.infMSBDAPNES1MC5PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZOMZ185WrD
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: gcsEBQO3BV.exe, 00000011.00000002.866052675.00000000011A2000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware
      Source: dhcpmon.exe, 00000012.00000002.886966777.00000000087D0000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareGSZ33WSPWin32_VideoControllerR7CWK58OVideoController120060621000000.000000-0007033.8.3display.infMSBDAPNES1MC5PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZOMZ185Wk
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: gcsEBQO3BV.exe, 0000000C.00000002.915646042.0000000001702000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMemory written: C:\Users\user\Desktop\gcsEBQO3BV.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMemory written: C:\Users\user\Desktop\gcsEBQO3BV.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: gcsEBQO3BV.exe, 0000000C.00000002.917953628.000000000394A000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916195693.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916195693.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923871135.0000000007EDC000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916195693.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916987361.0000000003505000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07962DD8 GetSystemTimes,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E90D8 GetUserNameA,
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: gcsEBQO3BV.exe, 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation11Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSystem Information Discovery13Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsSecurity Software Discovery321VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemVirtualization/Sandbox Evasion131Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 458901 Sample: gcsEBQO3BV.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 12 other signatures 2->77 8 gcsEBQO3BV.exe 6 2->8         started        12 gcsEBQO3BV.exe 4 2->12         started        14 dhcpmon.exe 5 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 61 C:\Users\user\AppData\...\eBopYzBwUYOW.exe, PE32 8->61 dropped 63 C:\Users\user\AppData\Local\...\tmp1EA2.tmp, XML 8->63 dropped 65 C:\Users\user\AppData\...\gcsEBQO3BV.exe.log, ASCII 8->65 dropped 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 8->83 85 Injects a PE file into a foreign processes 8->85 18 gcsEBQO3BV.exe 1 15 8->18         started        23 schtasks.exe 1 8->23         started        25 gcsEBQO3BV.exe 8->25         started        27 schtasks.exe 12->27         started        29 gcsEBQO3BV.exe 12->29         started        31 schtasks.exe 14->31         started        33 dhcpmon.exe 14->33         started        35 schtasks.exe 16->35         started        37 dhcpmon.exe 16->37         started        signatures5 process6 dnsIp7 67 microsoftsecurity.sytes.net 20.197.234.75, 1177, 49767, 49769 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->67 69 192.168.2.1 unknown unknown 18->69 55 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->55 dropped 57 C:\Users\user\AppData\Roaming\...\run.dat, data 18->57 dropped 59 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->59 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->79 39 schtasks.exe 1 18->39         started        41 schtasks.exe 1 18->41         started        43 conhost.exe 23->43         started        45 conhost.exe 27->45         started        47 conhost.exe 31->47         started        49 conhost.exe 35->49         started        file8 signatures9 process10 process11 51 conhost.exe 39->51         started        53 conhost.exe 41->53         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      gcsEBQO3BV.exe51%VirustotalBrowse
      gcsEBQO3BV.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      gcsEBQO3BV.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      12.2.gcsEBQO3BV.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      30.2.gcsEBQO3BV.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      34.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.2.gcsEBQO3BV.exe.6930000.18.unpack100%AviraTR/NanoCore.fadteDownload File
      31.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      microsoftsecurity.sytes.net0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.zhongyicts.com.cno.K0%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      backupnew.duckdns.org0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://douglasheriot.com/uno/0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      microsoftsecurity.sytes.net
      		20.197.234.75
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        microsoftsecurity.sytes.nettrue
        • Avira URL Cloud: safe
        		unknown
        backupnew.duckdns.orgtrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0gcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000001.00000003.653601915.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
              		high
              http://www.galapagosdesign.com/gcsEBQO3BV.exe, 00000001.00000003.662751805.0000000005BD7000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/?gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bThegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                  		high
                  http://www.tiro.comdhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersdhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://google.comgcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmpfalse
                      		high
                      http://www.carterandcone.comgcsEBQO3BV.exe, 00000001.00000003.653697369.0000000005BA6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cno.KgcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlion4/gcsEBQO3BV.exe, 00000001.00000003.660976926.0000000005BAB000.00000004.00000001.sdmpfalse
                        		high
                        http://www.typography.netDgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cThegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmll-nl#gcsEBQO3BV.exe, 00000001.00000003.661019805.0000000005BDD000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cngcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/cabarga.htmlgcsEBQO3BV.exe, 00000001.00000003.661070555.0000000005BDD000.00000004.00000001.sdmpfalse
                                		high
                                http://douglasheriot.com/uno/gcsEBQO3BV.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fonts.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cngcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/gcsEBQO3BV.exe, 00000001.00000003.657288065.0000000005BDD000.00000004.00000001.sdmpfalse
                                        		high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        20.197.234.75
                                        		microsoftsecurity.sytes.netUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:458901
                                        Start date:03.08.2021
                                        Start time:21:01:16
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 12m 54s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:gcsEBQO3BV.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:35
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@32/16@11/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 1.5% (good quality ratio 0.9%)
                                        • Quality average: 40.1%
                                        • Quality standard deviation: 36.9%
                                        HCA Information:
                                        • Successful, ratio: 98%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                        • TCP Packets have been reduced to 100
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 23.35.237.194, 23.211.6.115, 20.82.209.183, 168.61.161.212, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62
                                        • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        21:02:59Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\gcsEBQO3BV.exe" s>$(Arg0)
                                        21:02:59API Interceptor606x Sleep call for process: gcsEBQO3BV.exe modified
                                        21:02:59AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        21:03:00Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):703488
                                        Entropy (8bit):7.478742406317566
                                        Encrypted:false
                                        SSDEEP:12288:n+J70shAUfvBweg+wToULrNMmnjx05WqV+60RiVycWTQLbOQDFi14Bp/j+PIH3mq:n+J70cLvBwP+8oUSmntIV+60wST8OQp9
                                        MD5:008A85F2C1CF538F42F94A7E88CA88C7
                                        SHA1:B7F9E6B4177B88AE459D5AEE069F06F1B7AD5485
                                        SHA-256:4EE50840EEC3EF82A73866BD6F2E00B42789A76F348BEF3C01F98124EDCEF8B8
                                        SHA-512:444BB1A3A5083DA55963429649E079742E212690D1AC18AEEDAB4F2ECBB5F1A68641F19A9533E7F428130D225F35BEF70A59D44D9B05744963A5C5CE147C6860
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 63%
                                        Reputation:unknown
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...B......^.... ........@.. ....................................@.....................................O.......P?........................................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc...P?.......@...z..............@..@.reloc..............................@..B................@.......H......................0...._...........................................0..........*....0..............s....(.....*.0...........(.....*.0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}....*.0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}....*....0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.*....0..
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1308
                                        Entropy (8bit):5.345811588615766
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gcsEBQO3BV.exe.log
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1308
                                        Entropy (8bit):5.345811588615766
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Local\Temp\tmp3A48.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1300
                                        Entropy (8bit):5.115086565855345
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yixtn:cbk4oL600QydbQxIYODOLedq3uj
                                        MD5:ECD2C93B3D28A0B0E2F428E0264D7B6B
                                        SHA1:09DEA2B0683368E8F8BCEA7B5C6EBE439AEE0133
                                        SHA-256:6DA36228CAC1E211B86A10B0C6A9031C1D5FEABF3E7D796776376BCBC11088B8
                                        SHA-512:E1EF65805F0F0BEEE893C5DEE5A087CF84612A61C2451BFC1125F7F0E455F4B14F0303FBD467FCFE3A67AD883E3FAA1548DB760D674F3F2F64E7CEE6D419ADA1
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1310
                                        Entropy (8bit):5.109425792877704
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmpE955.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Local\Temp\tmpFD8.tmp
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1160
                                        Entropy (8bit):7.089541637477408
                                        Encrypted:false
                                        SSDEEP:24:IQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+K:IknjhUknjhUknjhUknjhUknjhL
                                        MD5:7BEBBE1F1511163A3243CD8E0C75CC69
                                        SHA1:216B3AB5D802FA037A6EC5348B189398D8980B3C
                                        SHA-256:79A130865E9EFFFAA6C2E453942CE87F652681BCD76AAF987318300CAF5E3778
                                        SHA-512:4DCCB32411DEF72C938022B8675DA50B2DC4CD2C051B1C0377F63D6AAC42FC3D128B0ED580FB88954AB04A9E9EC8D272EBCCF74EB3F136BEF41ADBB845A1A530
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:fot:o
                                        MD5:5D50F3D2AC1305B0B1D14FF65E96BFC7
                                        SHA1:0815E076D2FF28BE4A8EDE8ED7242ADCD14472C8
                                        SHA-256:6968FFB9754308FBCA0DEE1158F38AAE070055DE1E93FB716E8B1AF1048EF2DE
                                        SHA-512:E376A82EE3278D9D1FD05CEEF1B6938BCE2A156F7F77E07DFDE9BF5238342EDEC7A99C185147DC35C29AA41FBE5722EEF7A72A2EC1A548AF7175A87C5594CF49
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: ...M.V.H
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):40
                                        Entropy (8bit):5.153055907333276
                                        Encrypted:false
                                        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                        MD5:4E5E92E2369688041CC82EF9650EDED2
                                        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):327768
                                        Entropy (8bit):7.999367066417797
                                        Encrypted:true
                                        SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                        MD5:2E52F446105FBF828E63CF808B721F9C
                                        SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                        SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                        SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):37
                                        Entropy (8bit):4.257580907551286
                                        Encrypted:false
                                        SSDEEP:3:oNt+WfWCGnnT20C:oNwvCWSJ
                                        MD5:DC939810D8F43EB38ADAEFB85AD0CEDA
                                        SHA1:2BB19FE8337D3C2CAF8EE02D1BDEC8D38B918E7B
                                        SHA-256:C2D5CEEEE6CC36CB0E1B8D95AFC3BCDF5D6147ECF29A5D463C5BC713DD3FAF3F
                                        SHA-512:4D254397E0259D87C7DA4715BF0224FD0E9282BE96A5F84A00ACFBA384AEA5D990F47D122E4A4AD75AA28313634AFFF27661D43D97154C42F70980801408B8F5
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):703488
                                        Entropy (8bit):7.478742406317566
                                        Encrypted:false
                                        SSDEEP:12288:n+J70shAUfvBweg+wToULrNMmnjx05WqV+60RiVycWTQLbOQDFi14Bp/j+PIH3mq:n+J70cLvBwP+8oUSmntIV+60wST8OQp9
                                        MD5:008A85F2C1CF538F42F94A7E88CA88C7
                                        SHA1:B7F9E6B4177B88AE459D5AEE069F06F1B7AD5485
                                        SHA-256:4EE50840EEC3EF82A73866BD6F2E00B42789A76F348BEF3C01F98124EDCEF8B8
                                        SHA-512:444BB1A3A5083DA55963429649E079742E212690D1AC18AEEDAB4F2ECBB5F1A68641F19A9533E7F428130D225F35BEF70A59D44D9B05744963A5C5CE147C6860
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 63%
                                        Reputation:unknown
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...B......^.... ........@.. ....................................@.....................................O.......P?........................................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc...P?.......@...z..............@..@.reloc..............................@..B................@.......H......................0...._...........................................0..........*....0..............s....(.....*.0...........(.....*.0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}....*.0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}....*....0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.*....0..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.478742406317566
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:gcsEBQO3BV.exe
                                        File size:703488
                                        MD5:008a85f2c1cf538f42f94a7e88ca88c7
                                        SHA1:b7f9e6b4177b88ae459d5aee069f06f1b7ad5485
                                        SHA256:4ee50840eec3ef82a73866bd6f2e00b42789a76f348bef3c01f98124edcef8b8
                                        SHA512:444bb1a3a5083da55963429649e079742e212690d1ac18aeedab4f2ecbb5f1a68641f19a9533e7f428130d225f35bef70a59d44d9b05744963a5c5ce147c6860
                                        SSDEEP:12288:n+J70shAUfvBweg+wToULrNMmnjx05WqV+60RiVycWTQLbOQDFi14Bp/j+PIH3mq:n+J70cLvBwP+8oUSmntIV+60wST8OQp9
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...B......^.... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:8099b8acdce4e1e5

                                        Static PE Info

                                        General

                                        Entrypoint:0x4a975e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60FF5D0A [Tue Jul 27 01:10:34 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa970c0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x3f50.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xa77640xa7800False0.768110132929data7.50200224495IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0xaa0000x3f500x4000False0.627807617188data5.5633177152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xae0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0xaa1480x468GLS_BINARY_LSB_FIRST
                                        RT_ICON0xaa5b00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4278781961, next used block 4287640619
                                        RT_ICON0xab6580x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4280485632, next used block 4284557590
                                        RT_GROUP_ICON0xadc000x30data
                                        RT_VERSION0xadc300x320data

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2010 - 2021
                                        Assembly Version1.0.0.0
                                        InternalNameIpTl.exe
                                        FileVersion1.0.0.0
                                        CompanyNameDouglas Heriot
                                        LegalTrademarks
                                        Comments
                                        ProductNameUno
                                        ProductVersion1.0.0.0
                                        FileDescriptionUno
                                        OriginalFilenameIpTl.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        08/03/21-21:03:03.070861TCP2025019ET TROJAN Possible NanoCore C2 60B497671177192.168.2.420.197.234.75
                                        08/03/21-21:03:10.961626TCP2025019ET TROJAN Possible NanoCore C2 60B497691177192.168.2.420.197.234.75
                                        08/03/21-21:03:18.292169TCP2025019ET TROJAN Possible NanoCore C2 60B497701177192.168.2.420.197.234.75
                                        08/03/21-21:03:25.266257TCP2025019ET TROJAN Possible NanoCore C2 60B497711177192.168.2.420.197.234.75
                                        08/03/21-21:03:32.318494TCP2025019ET TROJAN Possible NanoCore C2 60B497721177192.168.2.420.197.234.75
                                        08/03/21-21:03:39.569786TCP2025019ET TROJAN Possible NanoCore C2 60B497731177192.168.2.420.197.234.75
                                        08/03/21-21:03:44.455750TCP2025019ET TROJAN Possible NanoCore C2 60B497751177192.168.2.420.197.234.75
                                        08/03/21-21:03:49.468825TCP2025019ET TROJAN Possible NanoCore C2 60B497771177192.168.2.420.197.234.75
                                        08/03/21-21:03:56.009783TCP2025019ET TROJAN Possible NanoCore C2 60B497781177192.168.2.420.197.234.75
                                        08/03/21-21:04:03.242027TCP2025019ET TROJAN Possible NanoCore C2 60B497791177192.168.2.420.197.234.75
                                        08/03/21-21:04:09.616586TCP2025019ET TROJAN Possible NanoCore C2 60B497801177192.168.2.420.197.234.75

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 3, 2021 21:03:02.716253042 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:02.924279928 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:02.924441099 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.070861101 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.294045925 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:03.317348003 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.521399975 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:03.567558050 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.823771000 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:03.823849916 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.070944071 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086047888 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086071014 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086086035 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086098909 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086117983 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086136103 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086148977 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086163044 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086182117 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086208105 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.086226940 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.086229086 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.086235046 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086740017 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.297836065 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297868967 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297898054 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297924042 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297946930 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297971010 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297980070 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.297993898 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298017979 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298019886 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298023939 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298043013 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298067093 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298095942 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298165083 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298171997 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298180103 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298202991 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298227072 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298249960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298273087 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298273087 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298278093 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298296928 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298321009 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298348904 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298373938 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298376083 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298381090 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298556089 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503231049 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503293037 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503340960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503366947 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503376961 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503410101 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503442049 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503470898 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503478050 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503508091 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503511906 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503551960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503591061 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503611088 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503624916 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503645897 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503659010 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503695011 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503748894 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503748894 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503804922 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503827095 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503844023 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503891945 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503914118 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503926039 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503963947 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504000902 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504002094 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504054070 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504090071 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504113913 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504163980 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504210949 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504245043 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504247904 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504287004 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504307985 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504323959 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504371881 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504439116 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504477024 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504530907 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504534006 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504570961 CEST11774976720.197.234.75192.168.2.4

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 3, 2021 21:01:56.952795029 CEST4991053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:56.985332966 CEST53499108.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:57.568849087 CEST5585453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:57.601205111 CEST6454953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:57.607832909 CEST53558548.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:57.628736019 CEST53645498.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:58.217888117 CEST6315353192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:58.247701883 CEST53631538.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:58.375174046 CEST5299153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:58.409279108 CEST53529918.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:58.945774078 CEST5370053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:58.971837044 CEST53537008.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:59.843838930 CEST5172653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:59.888303041 CEST53517268.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:01.114497900 CEST5679453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:01.142318964 CEST53567948.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:26.074865103 CEST5653453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:26.131671906 CEST53565348.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:30.935095072 CEST5662753192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:30.967444897 CEST53566278.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:31.618459940 CEST5662153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:31.643320084 CEST53566218.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:32.320250988 CEST6311653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:32.347923994 CEST53631168.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:33.247595072 CEST6407853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:33.282898903 CEST53640788.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:35.248843908 CEST6480153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:35.273719072 CEST53648018.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:36.348207951 CEST6172153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:36.376005888 CEST53617218.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:37.560930014 CEST5125553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:37.585814953 CEST53512558.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:38.261316061 CEST6152253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:38.296255112 CEST53615228.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:39.084752083 CEST5233753192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:39.120351076 CEST53523378.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:39.795377970 CEST5504653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:39.829566956 CEST53550468.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:40.587006092 CEST4961253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:40.622190952 CEST53496128.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:41.739749908 CEST4928553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:41.765579939 CEST53492858.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:44.346476078 CEST5060153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:44.451740980 CEST53506018.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:44.917742968 CEST6087553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:44.969218016 CEST53608758.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:45.592982054 CEST5644853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:45.599087000 CEST5917253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:45.635855913 CEST53591728.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:45.641344070 CEST53564488.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:46.000205994 CEST6242053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:46.055917025 CEST53624208.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:46.581522942 CEST6057953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:46.616116047 CEST53605798.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:47.445801020 CEST5018353192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:47.483532906 CEST53501838.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:48.080143929 CEST6153153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:48.115200043 CEST53615318.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:50.090269089 CEST4922853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:50.125478983 CEST53492288.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:50.950118065 CEST5979453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:50.982645988 CEST53597948.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:51.368928909 CEST5591653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:51.405291080 CEST53559168.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:02.669002056 CEST5275253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:02.703749895 CEST53527528.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:06.806513071 CEST6054253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:06.841006041 CEST53605428.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:10.531178951 CEST6068953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:10.568053961 CEST53606898.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:17.960906029 CEST6420653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:17.996409893 CEST53642068.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:25.024315119 CEST5090453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:25.057940006 CEST53509048.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:32.071710110 CEST5752553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:32.109904051 CEST53575258.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:39.324357033 CEST5381453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:39.359462023 CEST53538148.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:43.347390890 CEST5341853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:43.380333900 CEST53534188.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:44.149097919 CEST6283353192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:44.181466103 CEST53628338.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:47.680023909 CEST5926053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:47.720510006 CEST53592608.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:49.132050037 CEST4994453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:49.165702105 CEST53499448.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:55.735852957 CEST6330053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:55.768687010 CEST53633008.8.8.8192.168.2.4
                                        Aug 3, 2021 21:04:02.992939949 CEST6144953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:04:03.026909113 CEST53614498.8.8.8192.168.2.4
                                        Aug 3, 2021 21:04:09.355088949 CEST5127553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:04:09.391959906 CEST53512758.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Aug 3, 2021 21:03:02.669002056 CEST192.168.2.48.8.8.80x96adStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:10.531178951 CEST192.168.2.48.8.8.80x8d7bStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:17.960906029 CEST192.168.2.48.8.8.80x9de4Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:25.024315119 CEST192.168.2.48.8.8.80xc473Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:32.071710110 CEST192.168.2.48.8.8.80xd17eStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:39.324357033 CEST192.168.2.48.8.8.80xc6e4Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:44.149097919 CEST192.168.2.48.8.8.80x25a2Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:49.132050037 CEST192.168.2.48.8.8.80x4f92Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:55.735852957 CEST192.168.2.48.8.8.80x1981Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:02.992939949 CEST192.168.2.48.8.8.80xef0Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:09.355088949 CEST192.168.2.48.8.8.80x766eStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Aug 3, 2021 21:03:02.703749895 CEST8.8.8.8192.168.2.40x96adNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:10.568053961 CEST8.8.8.8192.168.2.40x8d7bNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:17.996409893 CEST8.8.8.8192.168.2.40x9de4No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:25.057940006 CEST8.8.8.8192.168.2.40xc473No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:32.109904051 CEST8.8.8.8192.168.2.40xd17eNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:39.359462023 CEST8.8.8.8192.168.2.40xc6e4No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:44.181466103 CEST8.8.8.8192.168.2.40x25a2No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:49.165702105 CEST8.8.8.8192.168.2.40x4f92No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:55.768687010 CEST8.8.8.8192.168.2.40x1981No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:03.026909113 CEST8.8.8.8192.168.2.40xef0No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:09.391959906 CEST8.8.8.8192.168.2.40x766eNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)

                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: gcsEBQO3BV.exe PID: 6300 Parent PID: 6084

                                        General

                                        Start time:21:02:04
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\gcsEBQO3BV.exe'
                                        Imagebase:0x960000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 4240 Parent PID: 6300

                                        General

                                        Start time:21:02:50
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 4972 Parent PID: 4240

                                        General

                                        Start time:21:02:51
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: gcsEBQO3BV.exe PID: 3484 Parent PID: 6300

                                        General

                                        Start time:21:02:51
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0x3c0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Analysis Process: gcsEBQO3BV.exe PID: 6100 Parent PID: 6300

                                        General

                                        Start time:21:02:52
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xfa0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.918972409.000000000462F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, Author: Florian Roth
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 6416 Parent PID: 6100

                                        General

                                        Start time:21:02:57
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 6380 Parent PID: 6416

                                        General

                                        Start time:21:02:57
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: schtasks.exe PID: 6792 Parent PID: 6100

                                        General

                                        Start time:21:02:58
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 4088 Parent PID: 6792

                                        General

                                        Start time:21:02:58
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: gcsEBQO3BV.exe PID: 6664 Parent PID: 968

                                        General

                                        Start time:21:03:00
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\gcsEBQO3BV.exe 0
                                        Imagebase:0x9f0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 2456 Parent PID: 968

                                        General

                                        Start time:21:03:01
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                        Imagebase:0x9e0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 63%, ReversingLabs
                                        Reputation:low

                                        Analysis Process: dhcpmon.exe PID: 2212 Parent PID: 3424

                                        General

                                        Start time:21:03:08
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                        Imagebase:0x8a0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Analysis Process: schtasks.exe PID: 6024 Parent PID: 6664

                                        General

                                        Start time:21:03:42
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 6404 Parent PID: 6024

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: schtasks.exe PID: 6844 Parent PID: 2456

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 64 Parent PID: 6844

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: gcsEBQO3BV.exe PID: 1444 Parent PID: 6664

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xb10000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                        Analysis Process: dhcpmon.exe PID: 6408 Parent PID: 2456

                                        General

                                        Start time:21:03:44
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xc00000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                        Analysis Process: schtasks.exe PID: 6528 Parent PID: 2212

                                        General

                                        Start time:21:03:52
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: conhost.exe PID: 4588 Parent PID: 6528

                                        General

                                        Start time:21:03:53
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: dhcpmon.exe PID: 7120 Parent PID: 2212

                                        General

                                        Start time:21:03:54
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xa90000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                        Disassembly

                                        Code Analysis

                                        Reset < >