Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RHK098760045678009000.exe

Overview

General Information

Sample Name:RHK098760045678009000.exe
Analysis ID:510055
MD5:8ae8a20159a1fdedd8c4937e8cc4c571
SHA1:a68c405aa1bec64c9790c321b4785c98f5c9a2a6
SHA256:bd386b60f5a095f369d4473d5f3185c226363a563f45326cea048e10f0ff403b
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: NanoCore
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • RHK098760045678009000.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\RHK098760045678009000.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
    • RHK098760045678009000.exe (PID: 4364 cmdline: 'C:\Users\user\Desktop\RHK098760045678009000.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
      • schtasks.exe (PID: 2724 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • dhcpmon.exe (PID: 6216 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
      • schtasks.exe (PID: 5728 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RHK098760045678009000.exe (PID: 5820 cmdline: C:\Users\user\Desktop\RHK098760045678009000.exe 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
    • RHK098760045678009000.exe (PID: 2184 cmdline: C:\Users\user\Desktop\RHK098760045678009000.exe 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
  • dhcpmon.exe (PID: 2724 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
  • dhcpmon.exe (PID: 6692 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
    • dhcpmon.exe (PID: 6812 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "319d0527-f6c8-4b20-86a3-4c642aa0", "Group": "MONEY", "Domain1": "", "Domain2": "185.222.57.90", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x111e5:$x1: NanoCore.ClientPluginHost
  • 0x11222:$x2: IClientNetworkHost
  • 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10f4d:$a: NanoCore
    • 0x10f5d:$a: NanoCore
    • 0x11191:$a: NanoCore
    • 0x111a5:$a: NanoCore
    • 0x111e5:$a: NanoCore
    • 0x10fac:$b: ClientPlugin
    • 0x111ae:$b: ClientPlugin
    • 0x111ee:$b: ClientPlugin
    • 0x110d3:$c: ProjectData
    • 0x11ada:$d: DESCrypto
    • 0x194a6:$e: KeepAlive
    • 0x17494:$g: LogClientMessage
    • 0x1368f:$i: get_Connected
    • 0x11e10:$j: #=q
    • 0x11e40:$j: #=q
    • 0x11e5c:$j: #=q
    • 0x11e8c:$j: #=q
    • 0x11ea8:$j: #=q
    • 0x11ec4:$j: #=q
    • 0x11ef4:$j: #=q
    • 0x11f10:$j: #=q
    0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x123e5:$x1: NanoCore.ClientPluginHost
    • 0x7c6f3:$x1: NanoCore.ClientPluginHost
    • 0x8fe61:$x1: NanoCore.ClientPluginHost
    • 0xa8e25:$x1: NanoCore.ClientPluginHost
    • 0x12422:$x2: IClientNetworkHost
    • 0x7c70d:$x2: IClientNetworkHost
    • 0x8fe8e:$x2: IClientNetworkHost
    • 0xa8e52:$x2: IClientNetworkHost
    • 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 92 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.dhcpmon.exe.24f0000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      14.2.dhcpmon.exe.24f0000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      14.2.dhcpmon.exe.24f0000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.dhcpmon.exe.24f0000.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.RHK098760045678009000.exe.f051458.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 118 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "319d0527-f6c8-4b20-86a3-4c642aa0", "Group": "MONEY", "Domain1": "", "Domain2": "185.222.57.90", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: RHK098760045678009000.exeVirustotal: Detection: 29%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 29%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: RHK098760045678009000.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: 14.2.dhcpmon.exe.24f0000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.RHK098760045678009000.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.2.dhcpmon.exe.49a0000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeUnpacked PE file: 11.2.RHK098760045678009000.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 14.2.dhcpmon.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 23.2.dhcpmon.exe.400000.1.unpack
        Source: RHK098760045678009000.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Binary string: wntdll.pdbUGP source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00402671 FindFirstFileA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00405E93 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00402671 FindFirstFileA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00404A29 FindFirstFileExW,

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49748 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49749 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49750 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49753 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49754 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49755 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49757 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49758 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49759 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49787 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49803 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49807 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49808 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49817 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49834 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49835 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49836 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49841 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49842 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49843 -> 185.222.57.90:4445
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 185.222.57.90
        Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
        Source: global trafficTCP traffic: 192.168.2.7:49748 -> 185.222.57.90:4445
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: RHK098760045678009000.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: RHK098760045678009000.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.28f687c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.2a56864.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.314285351.00000000028DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: RHK098760045678009000.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.28f687c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.28f687c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.2a56864.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.2a56864.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.314285351.00000000028DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004047D3
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004061D4
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF85BEF
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF85BE0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_0040A2A5
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004047D3
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004061D4
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF85BEF
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF85BE0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0040A2A5
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_026623A0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_02662FA8
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0266306F
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF75BE0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF75BEF
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02573850
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_025723A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02572FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0257306F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF85BEF
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF85BE0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E2FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E23A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E3850
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E306F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_0040A2A5
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 00402A29 appears 52 times
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 00401ED0 appears 69 times
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 00405B98 appears 38 times
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 0040569E appears 54 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 92 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 004056B5 appears 32 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 72 times
        Source: RHK098760045678009000.exe, 00000000.00000003.259552360.000000000F33F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 00000008.00000003.278073126.000000000F32F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: RHK098760045678009000.exeVirustotal: Detection: 29%
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile read: C:\Users\user\Desktop\RHK098760045678009000.exeJump to behavior
        Source: RHK098760045678009000.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsg3432.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/19@0/2
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: RHK098760045678009000.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1388:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{319d0527-f6c8-4b20-86a3-4c642aa02ef8}
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Binary string: wntdll.pdbUGP source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeUnpacked PE file: 11.2.RHK098760045678009000.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 14.2.dhcpmon.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 23.2.dhcpmon.exe.400000.1.unpack
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeUnpacked PE file: 11.2.RHK098760045678009000.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 14.2.dhcpmon.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 23.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        .NET source code contains potential unpackerShow sources
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02588593 push ebp; retn 0000h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401F16 push ecx; ret
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsf6352.tmp\fbnwl.dllJump to dropped file
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user\AppData\Local\Temp\nsr3472.tmp\fbnwl.dllJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsv8A14.tmp\fbnwl.dllJump to dropped file
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user\AppData\Local\Temp\nsv5920.tmp\fbnwl.dllJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Users\user\Desktop\RHK098760045678009000.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 8Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 5928Thread sleep time: -300000s >= -30000s
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 6488Thread sleep count: 43 > 30
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 6448Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6808Thread sleep count: 42 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6804Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7052Thread sleep count: 41 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7032Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: threadDelayed 394
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: threadDelayed 372
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: foregroundWindowGot 596
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: foregroundWindowGot 651
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00402671 FindFirstFileA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00405E93 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00402671 FindFirstFileA,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF83070 ymvwfuvwx,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF854DA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF856EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF857DE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF8579F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF8581C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF854DA mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF856EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF857DE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF8579F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF8581C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF754DA mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF756EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF757DE mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF7579F mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF7581C mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF854DA mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF856EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF857DE mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF8579F mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF8581C mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMemory written: C:\Users\user\Desktop\RHK098760045678009000.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMemory written: C:\Users\user\Desktop\RHK098760045678009000.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: RHK098760045678009000.exe, 00000001.00000003.332764209.0000000005A4D000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: RHK098760045678009000.exe, 00000001.00000003.367011538.0000000005A2F000.00000004.00000001.sdmpBinary or memory string: Program Managerq
        Source: RHK098760045678009000.exe, 00000001.00000003.417962578.0000000005A2F000.00000004.00000001.sdmpBinary or memory string: WProgram Manager
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_0040208D cpuid
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: RHK098760045678009000.exe, 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RHK098760045678009000.exe, 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RHK098760045678009000.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery15SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing31NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 510055 Sample: RHK098760045678009000.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 8 RHK098760045678009000.exe 17 2->8         started        12 RHK098760045678009000.exe 16 2->12         started        14 dhcpmon.exe 16 2->14         started        16 dhcpmon.exe 16 2->16         started        process3 dnsIp4 51 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 8->51 dropped 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 19 RHK098760045678009000.exe 1 18 8->19         started        53 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 12->53 dropped 79 Injects a PE file into a foreign processes 12->79 24 RHK098760045678009000.exe 3 12->24         started        55 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 14->55 dropped 26 dhcpmon.exe 2 14->26         started        59 192.168.2.1 unknown unknown 16->59 57 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 16->57 dropped file5 signatures6 process7 dnsIp8 61 185.222.57.90, 4445, 49748, 49749 ROOTLAYERNETNL Netherlands 19->61 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->43 dropped 45 C:\Users\user\AppData\Local\...\tmpBEAC.tmp, XML 19->45 dropped 47 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->47 dropped 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->71 28 schtasks.exe 1 19->28         started        30 schtasks.exe 1 19->30         started        49 C:\Users\...\RHK098760045678009000.exe.log, ASCII 24->49 dropped file9 signatures10 process11 process12 32 dhcpmon.exe 3 28->32         started        35 conhost.exe 28->35         started        37 conhost.exe 30->37         started        file13 39 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 32->39 dropped

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        RHK098760045678009000.exe29%VirustotalBrowse
        RHK098760045678009000.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe30%ReversingLabsWin32.Backdoor.Androm

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        23.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.2.dhcpmon.exe.24f0000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        8.2.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        23.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        0.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.2.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        11.1.RHK098760045678009000.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        8.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        23.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        1.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        21.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        11.2.RHK098760045678009000.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.RHK098760045678009000.exe.25f0000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        23.2.dhcpmon.exe.49a0000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        185.222.57.900%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        		low
        185.222.57.90true
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nsis.sf.net/NSIS_ErrorRHK098760045678009000.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErrorRHK098760045678009000.exefalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.222.57.90
            		unknownNetherlands
            		51447ROOTLAYERNETNLtrue

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:510055
            Start date:27.10.2021
            Start time:12:34:11
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 58s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:RHK098760045678009000.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@18/19@0/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 74.3% (good quality ratio 66.9%)
            • Quality average: 73.9%
            • Quality standard deviation: 33.3%
            HCA Information:
            • Successful, ratio: 83%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.50.102.62, 13.107.4.50, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154
            • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, b1ns.c-0001.c-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, b1ns.au-msedge.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            12:35:20Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\RHK098760045678009000.exe" s>$(Arg0)
            12:35:21API Interceptor916x Sleep call for process: RHK098760045678009000.exe modified
            12:35:23Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
            12:35:23AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.222.57.90FHKPO098765432345.exeGet hashmaliciousBrowse

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              ROOTLAYERNETNLFHKPO098765432345.exeGet hashmaliciousBrowse
              • 185.222.57.90
              SecuriteInfo.com.Suspicious.Win32.Save.a.4240.exeGet hashmaliciousBrowse
              • 185.222.58.151
              SecuriteInfo.com.Artemis3008D0721A6C.1070.exeGet hashmaliciousBrowse
              • 185.222.58.151
              AWB #3099657260.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              HIC INTERNATIONAL - REQUEST FOR QUOTATION DOCUMENTS.exeGet hashmaliciousBrowse
              • 45.137.22.70
              AWB #30996572600.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              BL. NO. ANSMUNDAR3621.exeGet hashmaliciousBrowse
              • 185.222.57.71
              Payment Supplier.xlsxGet hashmaliciousBrowse
              • 185.222.57.85
              BULK ORDER #RFQ REF R2100131410.exeGet hashmaliciousBrowse
              • 45.137.22.70
              Proforma Invoices.exeGet hashmaliciousBrowse
              • 45.137.22.77
              TT copy.exeGet hashmaliciousBrowse
              • 185.222.57.71
              EXT-Order-ES.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              attached MT103.xlsxGet hashmaliciousBrowse
              • 185.222.57.85
              invoice.exeGet hashmaliciousBrowse
              • 185.222.57.71
              pHfIio3D4E.exeGet hashmaliciousBrowse
              • 45.137.22.77
              Kyodo International Corp - Products Lists.exeGet hashmaliciousBrowse
              • 185.222.57.253
              tgSQwVSEzE.exeGet hashmaliciousBrowse
              • 45.137.22.77
              Keen-Pros-DOC310521-31052021124021.exeGet hashmaliciousBrowse
              • 45.137.22.70
              Order EQE090.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              PO-10152021.exeGet hashmaliciousBrowse
              • 185.222.58.151

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):446374
              Entropy (8bit):7.37562465733928
              Encrypted:false
              SSDEEP:6144:vBlL/qJ0hAJgtOHh6K6wiqyv/9nWZbcqzr2VURH2W1yS1dk3kqA/eFaTQH:J+0hAgtOHEK61B/9yn662WwS1dkdAfTo
              MD5:8AE8A20159A1FDEDD8C4937E8CC4C571
              SHA1:A68C405AA1BEC64C9790C321B4785C98F5C9A2A6
              SHA-256:BD386B60F5A095F369D4473D5F3185C226363A563F45326CEA048E10F0FF403B
              SHA-512:AE7EC190DB374595C4612F937F8FF98172B4A9C828E218806498E6443C0490CFDF92FE7A8F2B965DC34015C5B5E004DD02C53289A55C94E194F079B0E8017261
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 30%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t...........;...........................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc....;.......<...x..............@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RHK098760045678009000.exe.log
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.2874233355119316
              Encrypted:false
              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
              MD5:61CCF53571C9ABA6511D696CB0D32E45
              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
              Malicious:true
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.2874233355119316
              Encrypted:false
              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
              MD5:61CCF53571C9ABA6511D696CB0D32E45
              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
              Malicious:true
              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
              C:\Users\user\AppData\Local\Temp\9re2jblvico
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:data
              Category:dropped
              Size (bytes):279039
              Entropy (8bit):7.9862471646957305
              Encrypted:false
              SSDEEP:6144:05TTwU+xMf7+UF1tCr0XpS6i/qpwSu47UNIp9U7iWwK:+TyxMD+UF/CEpTsYwSu2QItK
              MD5:EF5501D8A05A00E32A4DA2E879054CAB
              SHA1:EE96AF9CAA8A0B968D5664A61CAEF4A18C7F097F
              SHA-256:60C2C9E683635BC40FCBC61E06A25532D00E6BA4D46624C7C57E71580AE84DCF
              SHA-512:D636286954326E505FC524A21B8D1540AD1F66A84C513B87BA9027D12C4A3EF74F14D0707AE5E88F8432DBCE3A7ABB98D61DEFA7B740E4CF3342C0463874E8F9
              Malicious:false
              Preview: 9c..\)..... .".\a2).H<....i>..z..T%.b...=i.q..).k.....Am..[c.Z.%...p[$W.n.a-..../E....|8.p..vY..1........)Z.,-u/....j.....{.@....:...U.A..L.%...B....../"u.#..p.. ..]/n!.....~...W...du.X..!Jh}.....q$..x..v..0.|..ed...~,:.r......8"j......V.....5....)..... k.7\.t[.H<..c.i>..p.4..b:..=..q..).;...6Am.`[c.#.l...p......x.[fZ.=h...x..Ea...A..}...a!..%x....L..PK,....\.{..|...o^..........|O.+E$..jx..HV...P..Pd.2.I#.!:.[....J{..~T..v.F.k.*..K...../bk.).!O...X8...U.T]lxr.i.......b....p..V.....v,.ZL).... I..\`.).H...c.i>..z..T%......Y.)h.).....\Am..[c.AZ.lA..pX....K..[nd..R_..x^.&a...A..}...H...:x....L...^.,...A3.{.w|....5..5..C.6..8.O...$..jx.H...*...P..c.I..!Y..m'.J{..~T..v.F.k.*.|.K..........!O...X8...UwT]w3r.i.......b....p..V.....5....)..'.. I1.\`2).H<..c.i>..z..T%.b...=i.q..).k.....Am..[c.Z.lA..pX....K.x.[f..]h...x..&a...A..}...a...:x....L...P.,......{..|...o^.....C....8.O...$..jx..HV...P..Pd.2.I#.!Y...m..J{..~T..v.F.k.*..K..........!O...X8...UwT]w3r.
              C:\Users\user\AppData\Local\Temp\nsf6352.tmp\fbnwl.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsv8A14.tmp\fbnwl.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1315
              Entropy (8bit):5.148995150358009
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK07bxtn:cbk4oL600QydbQxIYODOLedq3Wj
              MD5:EA990AF5897960534A4B53B9AE469852
              SHA1:C9409D6DA2EF73DA46D2F252FACDA1577F7B31C8
              SHA-256:16415204477AB850AF7AA39E29ADD5D6BB0DA97F2E8BB68F906D3B82F9BEE163
              SHA-512:DAA2BDEB5CA246B5D7383005FE2A4B3975321B4330E8777AD71FDD840A057F17E12137FBDC3FFB86346C23A755BC230E2ECABD68BBCC215D11EA506A684A46A4
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:modified
              Size (bytes):232
              Entropy (8bit):7.089541637477408
              Encrypted:false
              SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
              MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
              SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
              SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
              SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
              Malicious:false
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:Non-ISO extended-ASCII text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:HCf:if
              MD5:AB6ACF2514CF9D7C146288805B82395A
              SHA1:B45A987160D4F1CF2BF65398D7BDB0DDFDF966F9
              SHA-256:4ADBC5F80F47F6FC3B6EF126648722F05DE66E8F32A6248B08AEB3F986B99D76
              SHA-512:6F93CE445AB368DC3DAC4A81C3814AB8F0DD2E8C5CA67532C1171E676BA792F5101DBE25A587198FA75130C0DCF309460DDD1E50AE46FDE55141B0820FB49B1F
              Malicious:true
              Preview: s....H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:dropped
              Size (bytes):24
              Entropy (8bit):4.584962500721156
              Encrypted:false
              SSDEEP:3:9bzY6oRDJoTBn:RzWDqTB
              MD5:3FCC766D28BFD974C68B38C27D0D7A9A
              SHA1:45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
              SHA-256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
              SHA-512:C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
              Malicious:false
              Preview: 9iH...}Z.4..f.....l.d
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:dropped
              Size (bytes):40
              Entropy (8bit):5.221928094887364
              Encrypted:false
              SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
              MD5:AE0F5E6CE7122AF264EC533C6B15A27B
              SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
              SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
              SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
              Malicious:false
              Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:dropped
              Size (bytes):426832
              Entropy (8bit):7.999527918131335
              Encrypted:true
              SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
              MD5:653DDDCB6C89F6EC51F3DDC0053C5914
              SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
              SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
              SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
              Malicious:false
              Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):52
              Entropy (8bit):4.4002543244019225
              Encrypted:false
              SSDEEP:3:oN0naRR3c2dSTuCU/Ln:oNcSRlQTSTn
              MD5:6E6E1881C289567E83AAD0435BF4C72D
              SHA1:29DB6951579EA2E838154DED33E575806C797AA7
              SHA-256:3956537EFB18EC09EA2D6A0B831DBFC9EACFE59364873C8D5B55F8C21BCF46C3
              SHA-512:62D095D1DCD6184799D3E26F6473F39037C4804D1400844E347EA30AEF12B4667C141FC2A9F184F8C7C2CE852E4B154B1600DE5C338E4BA6710EBD9E1FDBCC25
              Malicious:false
              Preview: C:\Users\user\Desktop\RHK098760045678009000.exe

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.37562465733928
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:RHK098760045678009000.exe
              File size:446374
              MD5:8ae8a20159a1fdedd8c4937e8cc4c571
              SHA1:a68c405aa1bec64c9790c321b4785c98f5c9a2a6
              SHA256:bd386b60f5a095f369d4473d5f3185c226363a563f45326cea048e10f0ff403b
              SHA512:ae7ec190db374595c4612f937f8ff98172b4a9c828e218806498e6443c0490cfdf92fe7a8f2b965dc34015c5b5e004dd02c53289a55c94e194f079b0e8017261
              SSDEEP:6144:vBlL/qJ0hAJgtOHh6K6wiqyv/9nWZbcqzr2VURH2W1yS1dk3kqA/eFaTQH:J+0hAgtOHEK61B/9yn662WwS1dkdAfTo
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

              File Icon

              Icon Hash:30f0ccbaf2e47182

              Static PE Info

              General

              Entrypoint:0x4030fb
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:b76363e9cb88bf9390860da8e50999d2

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push ebp
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+20h], ebx
              mov dword ptr [esp+14h], 00409168h
              mov dword ptr [esp+1Ch], ebx
              mov byte ptr [esp+18h], 00000020h
              call dword ptr [004070B0h]
              call dword ptr [004070ACh]
              cmp ax, 00000006h
              je 00007F3C2CECD9D3h
              push ebx
              call 00007F3C2CED07B4h
              cmp eax, ebx
              je 00007F3C2CECD9C9h
              push 00000C00h
              call eax
              mov esi, 00407280h
              push esi
              call 00007F3C2CED0730h
              push esi
              call dword ptr [00407108h]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007F3C2CECD9ADh
              push 0000000Dh
              call 00007F3C2CED0788h
              push 0000000Bh
              call 00007F3C2CED0781h
              mov dword ptr [00423F44h], eax
              call dword ptr [00407038h]
              push ebx
              call dword ptr [0040726Ch]
              mov dword ptr [00423FF8h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 0041F4F0h
              call dword ptr [0040715Ch]
              push 0040915Ch
              push 00423740h
              call 00007F3C2CED03B4h
              call dword ptr [0040710Ch]
              mov ebp, 0042A000h
              push eax
              push ebp
              call 00007F3C2CED03A2h
              push ebx
              call dword ptr [00407144h]

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x23b90.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2d0000x23b900x23c00False0.522324355332data5.54550086743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2d2b00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
              RT_ICON0x3dad80xa498PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
              RT_ICON0x47f700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
              RT_ICON0x4c1980x25a8dataEnglishUnited States
              RT_ICON0x4e7400x10a8dataEnglishUnited States
              RT_ICON0x4f7e80x988dataEnglishUnited States
              RT_ICON0x501700x468GLS_BINARY_LSB_FIRSTEnglishUnited States
              RT_DIALOG0x505d80x100dataEnglishUnited States
              RT_DIALOG0x506d80x11cdataEnglishUnited States
              RT_DIALOG0x507f80x60dataEnglishUnited States
              RT_GROUP_ICON0x508580x68dataEnglishUnited States
              RT_MANIFEST0x508c00x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
              USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
              ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              10/27/21-12:35:22.661932TCP2025019ET TROJAN Possible NanoCore C2 60B497484445192.168.2.7185.222.57.90
              10/27/21-12:35:30.385238TCP2025019ET TROJAN Possible NanoCore C2 60B497494445192.168.2.7185.222.57.90
              10/27/21-12:35:36.308156TCP2025019ET TROJAN Possible NanoCore C2 60B497504445192.168.2.7185.222.57.90
              10/27/21-12:35:42.259470TCP2025019ET TROJAN Possible NanoCore C2 60B497534445192.168.2.7185.222.57.90
              10/27/21-12:35:46.512767TCP2025019ET TROJAN Possible NanoCore C2 60B497544445192.168.2.7185.222.57.90
              10/27/21-12:35:52.967208TCP2025019ET TROJAN Possible NanoCore C2 60B497554445192.168.2.7185.222.57.90
              10/27/21-12:35:59.180187TCP2025019ET TROJAN Possible NanoCore C2 60B497574445192.168.2.7185.222.57.90
              10/27/21-12:36:06.219324TCP2025019ET TROJAN Possible NanoCore C2 60B497584445192.168.2.7185.222.57.90
              10/27/21-12:36:12.240861TCP2025019ET TROJAN Possible NanoCore C2 60B497594445192.168.2.7185.222.57.90
              10/27/21-12:36:18.449942TCP2025019ET TROJAN Possible NanoCore C2 60B497874445192.168.2.7185.222.57.90
              10/27/21-12:36:25.461735TCP2025019ET TROJAN Possible NanoCore C2 60B498034445192.168.2.7185.222.57.90
              10/27/21-12:36:31.504021TCP2025019ET TROJAN Possible NanoCore C2 60B498074445192.168.2.7185.222.57.90
              10/27/21-12:36:37.609565TCP2025019ET TROJAN Possible NanoCore C2 60B498084445192.168.2.7185.222.57.90
              10/27/21-12:36:42.275628TCP2025019ET TROJAN Possible NanoCore C2 60B498174445192.168.2.7185.222.57.90
              10/27/21-12:36:49.658333TCP2025019ET TROJAN Possible NanoCore C2 60B498344445192.168.2.7185.222.57.90
              10/27/21-12:36:55.470444TCP2025019ET TROJAN Possible NanoCore C2 60B498354445192.168.2.7185.222.57.90
              10/27/21-12:37:01.316047TCP2025019ET TROJAN Possible NanoCore C2 60B498364445192.168.2.7185.222.57.90
              10/27/21-12:37:07.236455TCP2025019ET TROJAN Possible NanoCore C2 60B498414445192.168.2.7185.222.57.90
              10/27/21-12:37:13.129562TCP2025019ET TROJAN Possible NanoCore C2 60B498424445192.168.2.7185.222.57.90
              10/27/21-12:37:19.018469TCP2025019ET TROJAN Possible NanoCore C2 60B498434445192.168.2.7185.222.57.90

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 27, 2021 12:35:22.614408016 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.637341976 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.637481928 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.661931992 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.703679085 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.710825920 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.734333992 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.766468048 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.831394911 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.831465960 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.902771950 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.927371025 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.993540049 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.993611097 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.010178089 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010201931 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010217905 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010235071 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010247946 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010256052 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.010281086 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032808065 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032831907 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032860994 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032877922 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032895088 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032908916 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032912016 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032928944 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032943964 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032947063 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032948971 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032958984 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032974005 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.033010006 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055490971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055502892 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055527925 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055557966 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055586100 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055613995 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055639982 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055651903 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055669069 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055696964 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055701017 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055711985 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055723906 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055740118 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055752039 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055778980 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055804968 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055826902 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055836916 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055862904 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055885077 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055902958 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055953979 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055963039 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078402996 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078474045 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078514099 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078516960 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078558922 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078600883 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078609943 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078646898 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078670979 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078715086 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078717947 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078744888 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078759909 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078799963 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078838110 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078840971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078881025 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078918934 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078923941 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078958035 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078994989 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078995943 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079035044 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079055071 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079075098 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079112053 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079138041 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079149961 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079190016 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079226971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079251051 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079266071 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079304934 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079309940 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079345942 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079363108 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079385996 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079422951 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079451084 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079489946 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079507113 CEST497484445192.168.2.7185.222.57.90

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: RHK098760045678009000.exe PID: 1744 Parent PID: 6048

              General

              Start time:12:35:11
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\RHK098760045678009000.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: RHK098760045678009000.exe PID: 4364 Parent PID: 1744

              General

              Start time:12:35:12
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\RHK098760045678009000.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Analysis Process: schtasks.exe PID: 2724 Parent PID: 4364

              General

              Start time:12:35:19
              Start date:27/10/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'
              Imagebase:0x10b0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: conhost.exe PID: 2188 Parent PID: 2724

              General

              Start time:12:35:20
              Start date:27/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff774ee0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: RHK098760045678009000.exe PID: 5820 Parent PID: 1104

              General

              Start time:12:35:20
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\RHK098760045678009000.exe 0
              Imagebase:0x11a0000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: schtasks.exe PID: 5728 Parent PID: 4364

              General

              Start time:12:35:20
              Start date:27/10/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'
              Imagebase:0x10b0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: conhost.exe PID: 1388 Parent PID: 5728

              General

              Start time:12:35:21
              Start date:27/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff774ee0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: RHK098760045678009000.exe PID: 2184 Parent PID: 5820

              General

              Start time:12:35:22
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\RHK098760045678009000.exe 0
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 2724 Parent PID: 1104

              General

              Start time:12:35:23
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 30%, ReversingLabs
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 6216 Parent PID: 2724

              General

              Start time:12:35:25
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.314285351.00000000028DE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 6692 Parent PID: 3292

              General

              Start time:12:35:33
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 6692

              General

              Start time:12:35:34
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >