Windows Analysis Report BXym2eR0YTBKKsB.exe

Overview

General Information

Sample Name:	BXym2eR0YTBKKsB.exe
Analysis ID:	527362
MD5:	c57dd0f3a3495b72307cd6bbe8ed0654
SHA1:	792488219eb873bd7517d7b31622f3a6d6071aa9
SHA256:	debeb2b87fcaf1274ea62f5ed9f7b47f8128662b7b766729c5b3aa5b3a5ab7f5
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large strings

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: BXym2eR0YTBKKsB.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe	ReversingLabs: Detection: 33%

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

Machine Learning detection for sample

Source: BXym2eR0YTBKKsB.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: BXym2eR0YTBKKsB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: BXym2eR0YTBKKsB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: oC:\Windows\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: oC:\Windows\70YQ7i.pdb source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: indows\70YQ7i.pdbpdbQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\70YQ7i.pdbM source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb3 source: BXym2eR0YTBKKsB.exe, 0000000C.00000003.361069331.0000000000864000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb/ source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0\| source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Program Files (x86).pdb Mo source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: \|indows\System.Runtime.Remoting.pdbpdbing.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\DsQzKpHbyJ\src\obj\Debug\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe
Source:	Binary string: C:\Users\user\Desktop\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_025F4470
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_025F4460
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov esp, ebp	7_2_02AC880F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_047143F0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_047143E1

Networking:

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.19.85.175 ports 0,1,2,4,5,50421

Uses dynamic DNS services

Source: unknown

DNS query: name: strongodss.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49757 -> 185.19.85.175:50421

Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.292778613.0000000004FFE000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: dhcpmon.exe, 0000000D.00000002.350299522.0000000002EB1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.383675889.0000000002D51000.00000004.00000001.sdmp	String found in binary or memory: http://foo.com/fooT
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294903729.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCv
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comX
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294903729.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comma
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294766690.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294722528.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtud
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comwdth
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.299149163.0000000005025000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.299875193.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.297094725.0000000004FFC000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.296967294.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298841449.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298841449.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx;
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298652223.0000000004FFC000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.298054853.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.297595628.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.297044338.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.297490343.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.307030251.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers_AN
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.299983843.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298997567.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersuA8
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334390362.0000000004FF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334390362.0000000004FF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334390362.0000000004FF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdiaa
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.292737397.000000000500B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicv
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294447268.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.301892695.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.301892695.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/B
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.301892695.0000000004FFC000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.302210154.0000000005036000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krN.TTF
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krn
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr=
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294663755.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.H
Source: BXym2eR0YTBKKsB.exe	String found in binary or memory: https://forums.rpgmakerweb.com/index.php?threads/retro.135715
Source: BXym2eR0YTBKKsB.exe	String found in binary or memory: https://ocram-codes.net

Source: unknown

DNS traffic detected: queries for: strongodss.ddns.net

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Code function: 12_2_0238337E WSARecv,

12_2_0238337E

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 7.2.BXym2eR0YTBKKsB.exe.5a60000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.2c189d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.2f56518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5910000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.562929378.0000000005910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.563029808.0000000005A60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Source: BXym2eR0YTBKKsB.exe, frmMain.cs	Long String: Length: 22528
Source: fuZNBNvJ.exe.0.dr, frmMain.cs	Long String: Length: 22528
Source: 0.0.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	Long String: Length: 22528
Source: 0.2.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	Long String: Length: 22528
Source: dhcpmon.exe.7.dr, frmMain.cs	Long String: Length: 22528
Source: 7.2.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.3.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.5.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.9.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.2.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.11.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.0.unpack, frmMain.cs	Long String: Length: 22528

Uses 32bit PE files

Source: BXym2eR0YTBKKsB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 7.2.BXym2eR0YTBKKsB.exe.5a60000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5a60000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.2c189d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.2c189d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.2f56518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.2f56518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5910000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5910000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.562929378.0000000005910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.562929378.0000000005910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.563029808.0000000005A60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.563029808.0000000005A60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

One or more processes crash

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116

Detected potential crypto function

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2A18	0_2_025F2A18
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2C98	0_2_025F2C98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F1790	0_2_025F1790
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F4050	0_2_025F4050
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0670	0_2_025F0670
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0070	0_2_025F0070
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F006B	0_2_025F006B
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0661	0_2_025F0661
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2A09	0_2_025F2A09
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0822	0_2_025F0822
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F06FD	0_2_025F06FD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2C88	0_2_025F2C88
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F177F	0_2_025F177F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2710	0_2_025F2710
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F1F20	0_2_025F1F20
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0190	0_2_025F0190
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A8228	0_2_026A8228
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A78F0	0_2_026A78F0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A6620	0_2_026A6620
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A8218	0_2_026A8218
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A6610	0_2_026A6610
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAA10	0_2_026AAA10
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAF48	0_2_026AAF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB348	0_2_026AB348
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AEF48	0_2_026AEF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AF758	0_2_026AF758
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAF38	0_2_026AAF38
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB338	0_2_026AB338
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AFB98	0_2_026AFB98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A78E0	0_2_026A78E0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026ABCFF	0_2_026ABCFF
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB172	0_2_026AB172
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAD48	0_2_026AAD48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A7D28	0_2_026A7D28
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAD3A	0_2_026AAD3A
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB180	0_2_026AB180
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026ABD98	0_2_026ABD98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_004362C5	0_2_004362C5
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02997ABE	7_2_02997ABE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02ACB638	7_2_02ACB638
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC2FA8	7_2_02AC2FA8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC23A0	7_2_02AC23A0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC3850	7_2_02AC3850
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC8D68	7_2_02AC8D68
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC9968	7_2_02AC9968
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC9A2F	7_2_02AC9A2F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC306F	7_2_02AC306F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_008962C5	7_2_008962C5
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02358228	12_2_02358228
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023553B8	12_2_023553B8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023578F0	12_2_023578F0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023544C8	12_2_023544C8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02356620	12_2_02356620
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02356610	12_2_02356610
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AA10	12_2_0235AA10
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02358218	12_2_02358218
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AF38	12_2_0235AF38
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B338	12_2_0235B338
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235EF19	12_2_0235EF19
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235F758	12_2_0235F758
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235EF48	12_2_0235EF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B348	12_2_0235B348
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AF48	12_2_0235AF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235F748	12_2_0235F748
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235FB98	12_2_0235FB98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235FB88	12_2_0235FB88
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235F4B0	12_2_0235F4B0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235BCFF	12_2_0235BCFF
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023578E0	12_2_023578E0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02357D28	12_2_02357D28
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B178	12_2_0235B178
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E944	12_2_0235E944
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AD40	12_2_0235AD40
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AD48	12_2_0235AD48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235BD98	12_2_0235BD98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E986	12_2_0235E986
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B180	12_2_0235B180
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712C18	12_2_04712C18
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04711710	12_2_04711710
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712998	12_2_04712998
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710070	12_2_04710070
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710670	12_2_04710670
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710661	12_2_04710661
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710822	12_2_04710822
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710007	12_2_04710007
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712C09	12_2_04712C09
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_047106FD	12_2_047106FD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712690	12_2_04712690
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04711E9F	12_2_04711E9F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712680	12_2_04712680
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04711700	12_2_04711700
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710190	12_2_04710190
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712989	12_2_04712989
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_007B62C5	13_2_007B62C5
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_005A3CC3	16_2_005A3CC3
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_04DF2FA8	16_2_04DF2FA8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_04DF23A0	16_2_04DF23A0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_04DF306F	16_2_04DF306F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_005A62C5	16_2_005A62C5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_006F62C5	17_2_006F62C5

Contains functionality to call native functions

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D1C66 NtQuerySystemInformation,		7_2_051D1C66
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D1C2B NtQuerySystemInformation,		7_2_051D1C2B

Sample file is different than original file name gathered from version info

Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.326499808.0000000000432000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.335988932.0000000007F90000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.559129449.0000000000892000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.361616670.0000000000012000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363495214.0000000002701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362622770.00000000007EA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000000.357370542.00000000005A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: security.dll

Source: BXym2eR0YTBKKsB.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fuZNBNvJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: BXym2eR0YTBKKsB.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File read: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Jump to behavior

Source: BXym2eR0YTBKKsB.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe "C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe"
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4F8A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp57C8.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmp11CD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4F8A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp57C8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmp11CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D1A26 AdjustTokenPrivileges,		7_2_051D1A26
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D19EF AdjustTokenPrivileges,		7_2_051D19EF

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File created: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/14@9/2

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ce7fbdd9-3c95-435d-8876-f66955192db5}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_01

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: BXym2eR0YTBKKsB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BXym2eR0YTBKKsB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: BXym2eR0YTBKKsB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: oC:\Windows\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: oC:\Windows\70YQ7i.pdb source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: indows\70YQ7i.pdbpdbQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\70YQ7i.pdbM source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb3 source: BXym2eR0YTBKKsB.exe, 0000000C.00000003.361069331.0000000000864000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb/ source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0\| source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Program Files (x86).pdb Mo source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: \|indows\System.Runtime.Remoting.pdbpdbing.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\DsQzKpHbyJ\src\obj\Debug\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe
Source:	Binary string: C:\Users\user\Desktop\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: BXym2eR0YTBKKsB.exe, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: fuZNBNvJ.exe.0.dr, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.7.dr, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.3.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.5.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.9.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.2.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.11.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.0.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_0043B273 push ss; ret	0_2_0043B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_0043B921 push ss; ret	0_2_0043B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A4E60 push ebx; ret	0_2_026A4E61
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_004362C5 push es; retn 0000h	0_2_004365B7
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_0089B921 push ss; ret	7_2_0089B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_0089B273 push ss; ret	7_2_0089B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982DD9 push edi; ret	7_2_02982DDA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982851 push edi; ret	7_2_0298285E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982D48 push ecx; ret	7_2_02982D4A
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982DCD push edi; ret	7_2_02982DCE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982FB8 push eax; ret	7_2_02982FBE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029828BD push edi; ret	7_2_029828BE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029827B4 push eax; ret	7_2_029827B6
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982869 push edi; ret	7_2_0298286A
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982D6D push eax; ret	7_2_02982D6E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982D60 push ecx; ret	7_2_02982D62
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029974B8 push ebp; ret	7_2_029974B9
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029974AC push ecx; ret	7_2_029974AD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02999DEC pushfd ; retf	7_2_02999DED
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02999D70 push eax; retf	7_2_02999D71
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02999D74 pushad ; retf	7_2_02999D75
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_008962C5 push es; retn 0000h	7_2_008965B7
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0001B921 push ss; ret	12_2_0001B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0001B273 push ss; ret	12_2_0001B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E2CC push ecx; retf	12_2_0235E2CD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E06C pushfd ; iretd	12_2_0235E06D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_007BB273 push ss; ret	13_2_007BB9EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_007BB921 push ss; ret	13_2_007BB9EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_00FE2FF4 push ecx; ret	13_2_00FE2FF6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_00FE2935 push edi; ret	13_2_00FE2936
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_00FE2FE8 push ecx; ret	13_2_00FE2FEA

Binary contains a suspicious time stamp

Source: BXym2eR0YTBKKsB.exe

Static PE information: 0xA23402CC [Sun Mar 26 17:33:00 2056 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.6984087559
Source: initial sample	Static PE information: section name: .text entropy: 7.6984087559
Source: initial sample	Static PE information: section name: .text entropy: 7.6984087559

Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File created: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 6904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 6996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4844	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4844	Thread sleep count: 202 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 5096	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 2824	Thread sleep time: -460000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 5108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 5372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Window / User API: foregroundWindowGot 786

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Code function: 7_2_051D174E GetSystemInfo,

7_2_051D174E

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362622770.00000000007EA000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362622770.00000000007EA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Memory written: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Memory written: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4F8A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp57C8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmp11CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116

Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561860166.00000000031B9000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.560701392.0000000001570000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.560701392.0000000001570000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.560701392.0000000001570000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0A8E listen,	0_2_04CC0A8E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0E9E bind,	0_2_04CC0E9E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0A50 listen,	0_2_04CC0A50
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0E6B bind,	0_2_04CC0E6B
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D2F3E bind,	7_2_051D2F3E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D2F0E bind,	7_2_051D2F0E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380E9E bind,	12_2_02380E9E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380A8E listen,	12_2_02380A8E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380E6B bind,	12_2_02380E6B
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380A50 listen,	12_2_02380A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410FC6 bind,	13_2_05410FC6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410A8E listen,	13_2_05410A8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410A50 CreateMutexW,listen,	13_2_05410A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410F93 bind,	13_2_05410F93
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370A8E listen,	17_2_05370A8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370FC6 bind,	17_2_05370FC6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370F93 bind,	17_2_05370F93
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370A50 listen,	17_2_05370A50

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.19.85.175	strongodss.ddns.net	Switzerland		48971	DATAWIRE-ASCH	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
strongodss.ddns.net	185.19.85.175	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: BXym2eR0YTBKKsB.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe	ReversingLabs: Detection: 33%

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

Machine Learning detection for sample

Source: BXym2eR0YTBKKsB.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: BXym2eR0YTBKKsB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: BXym2eR0YTBKKsB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: oC:\Windows\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: oC:\Windows\70YQ7i.pdb source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: indows\70YQ7i.pdbpdbQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\70YQ7i.pdbM source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb3 source: BXym2eR0YTBKKsB.exe, 0000000C.00000003.361069331.0000000000864000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb/ source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0\| source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Program Files (x86).pdb Mo source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: \|indows\System.Runtime.Remoting.pdbpdbing.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\DsQzKpHbyJ\src\obj\Debug\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe
Source:	Binary string: C:\Users\user\Desktop\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_025F4470
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_025F4460
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov esp, ebp	7_2_02AC880F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_047143F0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_047143E1

Networking:

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.19.85.175 ports 0,1,2,4,5,50421

Uses dynamic DNS services

Source: unknown

DNS query: name: strongodss.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49757 -> 185.19.85.175:50421

Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.292778613.0000000004FFE000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: dhcpmon.exe, 0000000D.00000002.350299522.0000000002EB1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.383675889.0000000002D51000.00000004.00000001.sdmp	String found in binary or memory: http://foo.com/fooT
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294903729.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCv
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comX
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294903729.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comma
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294766690.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294722528.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtud
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294854451.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comwdth
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.299149163.0000000005025000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.299875193.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.297094725.0000000004FFC000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.296967294.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298841449.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298841449.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx;
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298652223.0000000004FFC000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.298054853.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000003.297595628.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.297044338.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.297490343.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.307030251.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers_AN
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.299983843.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.298997567.0000000005025000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersuA8
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334390362.0000000004FF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334390362.0000000004FF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334390362.0000000004FF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdiaa
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.292737397.000000000500B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicv
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294447268.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.301892695.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.301892695.0000000004FFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/B
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.301892695.0000000004FFC000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.302210154.0000000005036000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krN.TTF
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krn
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.293641623.0000000005000000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr=
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.334730924.00000000062A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: BXym2eR0YTBKKsB.exe, 00000000.00000003.294663755.0000000004FF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.H
Source: BXym2eR0YTBKKsB.exe	String found in binary or memory: https://forums.rpgmakerweb.com/index.php?threads/retro.135715
Source: BXym2eR0YTBKKsB.exe	String found in binary or memory: https://ocram-codes.net

Source: unknown

DNS traffic detected: queries for: strongodss.ddns.net

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Code function: 12_2_0238337E WSARecv,

12_2_0238337E

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 7.2.BXym2eR0YTBKKsB.exe.5a60000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.2c189d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.2f56518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5910000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.562929378.0000000005910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.563029808.0000000005A60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Source: BXym2eR0YTBKKsB.exe, frmMain.cs	Long String: Length: 22528
Source: fuZNBNvJ.exe.0.dr, frmMain.cs	Long String: Length: 22528
Source: 0.0.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	Long String: Length: 22528
Source: 0.2.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	Long String: Length: 22528
Source: dhcpmon.exe.7.dr, frmMain.cs	Long String: Length: 22528
Source: 7.2.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.3.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.5.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.9.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.2.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.11.unpack, frmMain.cs	Long String: Length: 22528
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.0.unpack, frmMain.cs	Long String: Length: 22528

Uses 32bit PE files

Source: BXym2eR0YTBKKsB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 7.2.BXym2eR0YTBKKsB.exe.5a60000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5a60000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.2c189d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.2c189d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.2f56518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.2f56518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.2f5169c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5910000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5910000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.2c1394c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.562929378.0000000005910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.562929378.0000000005910000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.563029808.0000000005A60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.563029808.0000000005A60000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

One or more processes crash

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116

Detected potential crypto function

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2A18	0_2_025F2A18
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2C98	0_2_025F2C98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F1790	0_2_025F1790
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F4050	0_2_025F4050
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0670	0_2_025F0670
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0070	0_2_025F0070
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F006B	0_2_025F006B
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0661	0_2_025F0661
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2A09	0_2_025F2A09
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0822	0_2_025F0822
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F06FD	0_2_025F06FD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2C88	0_2_025F2C88
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F177F	0_2_025F177F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F2710	0_2_025F2710
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F1F20	0_2_025F1F20
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_025F0190	0_2_025F0190
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A8228	0_2_026A8228
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A78F0	0_2_026A78F0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A6620	0_2_026A6620
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A8218	0_2_026A8218
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A6610	0_2_026A6610
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAA10	0_2_026AAA10
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAF48	0_2_026AAF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB348	0_2_026AB348
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AEF48	0_2_026AEF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AF758	0_2_026AF758
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAF38	0_2_026AAF38
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB338	0_2_026AB338
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AFB98	0_2_026AFB98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A78E0	0_2_026A78E0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026ABCFF	0_2_026ABCFF
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB172	0_2_026AB172
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAD48	0_2_026AAD48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A7D28	0_2_026A7D28
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AAD3A	0_2_026AAD3A
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026AB180	0_2_026AB180
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026ABD98	0_2_026ABD98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_004362C5	0_2_004362C5
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02997ABE	7_2_02997ABE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02ACB638	7_2_02ACB638
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC2FA8	7_2_02AC2FA8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC23A0	7_2_02AC23A0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC3850	7_2_02AC3850
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC8D68	7_2_02AC8D68
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC9968	7_2_02AC9968
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC9A2F	7_2_02AC9A2F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02AC306F	7_2_02AC306F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_008962C5	7_2_008962C5
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02358228	12_2_02358228
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023553B8	12_2_023553B8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023578F0	12_2_023578F0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023544C8	12_2_023544C8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02356620	12_2_02356620
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02356610	12_2_02356610
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AA10	12_2_0235AA10
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02358218	12_2_02358218
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AF38	12_2_0235AF38
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B338	12_2_0235B338
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235EF19	12_2_0235EF19
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235F758	12_2_0235F758
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235EF48	12_2_0235EF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B348	12_2_0235B348
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AF48	12_2_0235AF48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235F748	12_2_0235F748
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235FB98	12_2_0235FB98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235FB88	12_2_0235FB88
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235F4B0	12_2_0235F4B0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235BCFF	12_2_0235BCFF
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_023578E0	12_2_023578E0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02357D28	12_2_02357D28
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B178	12_2_0235B178
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E944	12_2_0235E944
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AD40	12_2_0235AD40
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235AD48	12_2_0235AD48
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235BD98	12_2_0235BD98
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E986	12_2_0235E986
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235B180	12_2_0235B180
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712C18	12_2_04712C18
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04711710	12_2_04711710
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712998	12_2_04712998
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710070	12_2_04710070
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710670	12_2_04710670
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710661	12_2_04710661
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710822	12_2_04710822
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710007	12_2_04710007
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712C09	12_2_04712C09
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_047106FD	12_2_047106FD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712690	12_2_04712690
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04711E9F	12_2_04711E9F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712680	12_2_04712680
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04711700	12_2_04711700
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04710190	12_2_04710190
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_04712989	12_2_04712989
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_007B62C5	13_2_007B62C5
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_005A3CC3	16_2_005A3CC3
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_04DF2FA8	16_2_04DF2FA8
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_04DF23A0	16_2_04DF23A0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_04DF306F	16_2_04DF306F
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 16_2_005A62C5	16_2_005A62C5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_006F62C5	17_2_006F62C5

Contains functionality to call native functions

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D1C66 NtQuerySystemInformation,		7_2_051D1C66
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D1C2B NtQuerySystemInformation,		7_2_051D1C2B

Sample file is different than original file name gathered from version info

Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.326499808.0000000000432000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.335988932.0000000007F90000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.559129449.0000000000892000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.361616670.0000000000012000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363495214.0000000002701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362622770.00000000007EA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000000.357370542.00000000005A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs BXym2eR0YTBKKsB.exe
Source: BXym2eR0YTBKKsB.exe	Binary or memory string: OriginalFilename70YQ7i.exe: vs BXym2eR0YTBKKsB.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: security.dll

Source: BXym2eR0YTBKKsB.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fuZNBNvJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: BXym2eR0YTBKKsB.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File read: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Jump to behavior

Source: BXym2eR0YTBKKsB.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe "C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe"
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4F8A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp57C8.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmp11CD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4F8A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp57C8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmp11CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D1A26 AdjustTokenPrivileges,		7_2_051D1A26
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D19EF AdjustTokenPrivileges,		7_2_051D19EF

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File created: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/14@9/2

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ce7fbdd9-3c95-435d-8876-f66955192db5}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_01

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: BXym2eR0YTBKKsB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BXym2eR0YTBKKsB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: BXym2eR0YTBKKsB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: oC:\Windows\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: oC:\Windows\70YQ7i.pdb source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: indows\70YQ7i.pdbpdbQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\70YQ7i.pdbM source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb3 source: BXym2eR0YTBKKsB.exe, 0000000C.00000003.361069331.0000000000864000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb/ source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.375210362.000000000808A000.00000004.00000010.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb0\| source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Program Files (x86).pdb Mo source: dhcpmon.exe, 00000011.00000002.382832984.0000000000AF6000.00000004.00000001.sdmp
Source:	Binary string: \|indows\System.Runtime.Remoting.pdbpdbing.pdb source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362545112.00000000007C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\DsQzKpHbyJ\src\obj\Debug\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe
Source:	Binary string: C:\Users\user\Desktop\70YQ7i.pdb source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561126579.0000000002A65000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: BXym2eR0YTBKKsB.exe, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: fuZNBNvJ.exe.0.dr, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.BXym2eR0YTBKKsB.exe.430000.0.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.7.dr, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.1.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.3.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.5.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.9.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.2.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.11.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.890000.0.unpack, frmMain.cs	.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_0043B273 push ss; ret	0_2_0043B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_0043B921 push ss; ret	0_2_0043B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_026A4E60 push ebx; ret	0_2_026A4E61
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_004362C5 push es; retn 0000h	0_2_004365B7
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_0089B921 push ss; ret	7_2_0089B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_0089B273 push ss; ret	7_2_0089B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982DD9 push edi; ret	7_2_02982DDA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982851 push edi; ret	7_2_0298285E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982D48 push ecx; ret	7_2_02982D4A
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982DCD push edi; ret	7_2_02982DCE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982FB8 push eax; ret	7_2_02982FBE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029828BD push edi; ret	7_2_029828BE
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029827B4 push eax; ret	7_2_029827B6
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982869 push edi; ret	7_2_0298286A
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982D6D push eax; ret	7_2_02982D6E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02982D60 push ecx; ret	7_2_02982D62
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029974B8 push ebp; ret	7_2_029974B9
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_029974AC push ecx; ret	7_2_029974AD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02999DEC pushfd ; retf	7_2_02999DED
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02999D70 push eax; retf	7_2_02999D71
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_02999D74 pushad ; retf	7_2_02999D75
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_008962C5 push es; retn 0000h	7_2_008965B7
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0001B921 push ss; ret	12_2_0001B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0001B273 push ss; ret	12_2_0001B9EA
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E2CC push ecx; retf	12_2_0235E2CD
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_0235E06C pushfd ; iretd	12_2_0235E06D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_007BB273 push ss; ret	13_2_007BB9EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_007BB921 push ss; ret	13_2_007BB9EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_00FE2FF4 push ecx; ret	13_2_00FE2FF6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_00FE2935 push edi; ret	13_2_00FE2936
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_00FE2FE8 push ecx; ret	13_2_00FE2FEA

Binary contains a suspicious time stamp

Source: BXym2eR0YTBKKsB.exe

Static PE information: 0xA23402CC [Sun Mar 26 17:33:00 2056 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.6984087559
Source: initial sample	Static PE information: section name: .text entropy: 7.6984087559
Source: initial sample	Static PE information: section name: .text entropy: 7.6984087559

Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File created: C:\Users\user\AppData\Roaming\fuZNBNvJ.exe			Jump to dropped file
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

File opened: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.332243481.0000000002BAF000.00000004.00000001.sdmp, BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 6904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 6996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4844	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4844	Thread sleep count: 202 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 5096	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 2824	Thread sleep time: -460000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 5108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 5372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe TID: 4780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Window / User API: foregroundWindowGot 786

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Code function: 7_2_051D174E GetSystemInfo,

7_2_051D174E

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362622770.00000000007EA000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.363562772.000000000274F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.362622770.00000000007EA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Memory written: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Memory written: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4F8A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp57C8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuZNBNvJ" /XML "C:\Users\user\AppData\Local\Temp\tmp11CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Process created: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1116

Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.561860166.00000000031B9000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.560701392.0000000001570000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.560701392.0000000001570000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.560701392.0000000001570000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: BXym2eR0YTBKKsB.exe, 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: BXym2eR0YTBKKsB.exe, 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: BXym2eR0YTBKKsB.exe, 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: BXym2eR0YTBKKsB.exe, 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f8ec9e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f93adb.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c43adb.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c3ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.BXym2eR0YTBKKsB.exe.3c49511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.BXym2eR0YTBKKsB.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.3f99511.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.BXym2eR0YTBKKsB.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.BXym2eR0YTBKKsB.exe.5bb4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.BXym2eR0YTBKKsB.exe.3803af0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3d40f90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3cbcd80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BXym2eR0YTBKKsB.exe.3c63af0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.562022450.0000000003F87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.364841713.0000000003701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357309570.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380470660.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.357817060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.359789773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.322917905.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.563149725.0000000005BB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320292572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.320728680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.321906752.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.558866137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.379808216.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.358481197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.380426142.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333259047.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BXym2eR0YTBKKsB.exe PID: 2548, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0A8E listen,	0_2_04CC0A8E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0E9E bind,	0_2_04CC0E9E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0A50 listen,	0_2_04CC0A50
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 0_2_04CC0E6B bind,	0_2_04CC0E6B
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D2F3E bind,	7_2_051D2F3E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 7_2_051D2F0E bind,	7_2_051D2F0E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380E9E bind,	12_2_02380E9E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380A8E listen,	12_2_02380A8E
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380E6B bind,	12_2_02380E6B
Source: C:\Users\user\Desktop\BXym2eR0YTBKKsB.exe	Code function: 12_2_02380A50 listen,	12_2_02380A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410FC6 bind,	13_2_05410FC6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410A8E listen,	13_2_05410A8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410A50 CreateMutexW,listen,	13_2_05410A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_05410F93 bind,	13_2_05410F93
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370A8E listen,	17_2_05370A8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370FC6 bind,	17_2_05370FC6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370F93 bind,	17_2_05370F93
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05370A50 listen,	17_2_05370A50

ID:	527362
Product:	CloudBasic
Start time:	17:12:15
Start date:	23.11.2021
Sample:	BXym2eR0YTBKKsB.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c57dd0f3a3495b72307cd6bbe8ed0654
SHA1:	792488219eb873bd7517d7b31622f3a6d6071aa9
SHA256:	debeb2b87fcaf1274ea62f5ed9f7b47f8128662b7b766729c5b3aa5b3a5ab7f5
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C57DD0F3A3495B72307CD6BBE8ED0654	792488219EB873BD7517D7B31622F3A6D6071AA9	DEBEB2B87FCAF1274EA62F5ED9F7B47F8128662B7B766729C5B3AA5B3A5AB7F5
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dhcpmon.exe_661e7bcc3050bf83705c423cabd5fc11697a8ea_00000000_1bb3625e\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	4AEE1A7C26B81BD18CD9BA28668AAA8B	24257313379E34EB106E0C61A335D86AB16A90F0	2FE51014FAC6CD063D6890D23A0F50A908B83BDB0BC027DACE4CEF9421182384
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6C8.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	42D3391E81EA085101F7D15ECE8C51C2	AB6BF4C3FC01AA10C7763BFF9A9DAED2F0A2C0F3	E041DE9B21DDE637F89B4C3332D19B95384D102C119F724A4694135F46F8CDB6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC37.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	95C3DBAFECE7EADFCD00BC95A77BDE22	E921403B71E23102FD0DAB90FB300402014BD23F	5A725E4A01BB876F4932B53E764256899267F1AEAE5BB5BED4EF976FA8D348C5
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BXym2eR0YTBKKsB.exe.log	ASCII text, with CRLF line terminators	5AD8E7ABEADADAC4CE06FF693476581A	81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E	BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	5AD8E7ABEADADAC4CE06FF693476581A	81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E	BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
C:\Users\user\AppData\Local\Temp\tmp11CD.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	F5DD85C4FF7AECA31B0CDEAB30917212	056E907E5279177F77A88F08087A6ED97599DDE8	5ADAAECDDB29DA667D0A128759AAFE67EA6517DD2B3409920BCA4C908AB66EB6
C:\Users\user\AppData\Local\Temp\tmp4F8A.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	DC26512706055480F418942E571351C3	B38BBF1660E9D4546CF573D8EFEE34E8C9F689E3	78708CA8FC9200AF41EC6BBC539631A6B4A1F0DF5933C38BFA8D0559003FCED2
C:\Users\user\AppData\Local\Temp\tmp57C8.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5C2F41CFC6F988C859DA7D727AC2B62A	68999C85FC7E37BAB9216E0099836D40D4545C1C	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Local\Temp\tmpD2C1.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	F5DD85C4FF7AECA31B0CDEAB30917212	056E907E5279177F77A88F08087A6ED97599DDE8	5ADAAECDDB29DA667D0A128759AAFE67EA6517DD2B3409920BCA4C908AB66EB6
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	ISO-8859 text, with no line terminators	19C8C23AD156817C4D42277037E3B0B2	A06899E3E8785A240ECB4E545A0702C3797A2AD4	82F4D1079537CE6261899C6C4EB6660CF28DF155B3A7BA504D446BA264A38355
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	E689E1B3DB86627026BA2DECEE634709	132DEAE275EE23914B431FD232CB13C29394946D	88B4CDBF7ECAA33C2212DCECB3FC39C592AD98EC34D70DECAA45293ECF2D11F2
C:\Users\user\AppData\Roaming\fuZNBNvJ.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C57DD0F3A3495B72307CD6BBE8ED0654	792488219EB873BD7517D7B31622F3A6D6071AA9	DEBEB2B87FCAF1274EA62F5ED9F7B47F8128662B7B766729C5B3AA5B3A5AB7F5

Windows Analysis Report BXym2eR0YTBKKsB.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains