Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report INV.exe

Overview

General Information

Sample Name:INV.exe
Analysis ID:527765
MD5:9d64fa92ce93c242c09947e6a0a892a6
SHA1:463c942e70fee74aef894c0da58277c884d8c6bd
SHA256:e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • INV.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\INV.exe" MD5: 9D64FA92CE93C242C09947E6A0A892A6)
    • INV.exe (PID: 6488 cmdline: C:\Users\user\Desktop\INV.exe MD5: 9D64FA92CE93C242C09947E6A0A892A6)
  • dhcpmon.exe (PID: 5236 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 9D64FA92CE93C242C09947E6A0A892A6)
    • dhcpmon.exe (PID: 6988 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 9D64FA92CE93C242C09947E6A0A892A6)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x6943b:$a: NanoCore
    • 0x69494:$a: NanoCore
    • 0x694d1:$a: NanoCore
    • 0x6954a:$a: NanoCore
    • 0x6949d:$b: ClientPlugin
    • 0x694da:$b: ClientPlugin
    • 0x69dd8:$b: ClientPlugin
    • 0x69de5:$b: ClientPlugin
    • 0x5f093:$e: KeepAlive
    • 0x69925:$g: LogClientMessage
    • 0x698a5:$i: get_Connected
    • 0x59871:$j: #=q
    • 0x598a1:$j: #=q
    • 0x598dd:$j: #=q
    • 0x59905:$j: #=q
    • 0x59935:$j: #=q
    • 0x59965:$j: #=q
    • 0x59995:$j: #=q
    • 0x599c5:$j: #=q
    • 0x599e1:$j: #=q
    • 0x59a11:$j: #=q
    0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 48 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.dhcpmon.exe.3b7fc20.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      8.2.dhcpmon.exe.3b7fc20.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      8.2.dhcpmon.exe.3b7fc20.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        8.2.dhcpmon.exe.3b7fc20.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        4.0.INV.exe.400000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 84 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INV.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INV.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INV.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INV.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: INV.exeReversingLabs: Detection: 20%
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: INV.exeAvira: detected
        Multi AV Scanner detection for domain / URLShow sources
        Source: dera31.ddns.netVirustotal: Detection: 6%Perma Link
        Source: dera31.ddns.netVirustotal: Detection: 6%Perma Link
        Source: 195.133.18.211Virustotal: Detection: 5%Perma Link
        Antivirus detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: HEUR/AGEN.1141888
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 20%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.403458d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTR
        Source: 11.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.INV.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.INV.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.INV.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.INV.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.0.INV.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\INV.exeCode function: 4x nop then jmp 07EC0E60h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 06C80E60h

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: dera31.ddns.net
        Source: Malware configuration extractorURLs: 195.133.18.211
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: dera31.ddns.net
        Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
        Source: global trafficTCP traffic: 192.168.2.6:49753 -> 194.85.248.250:1187
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: dhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: INV.exe, 00000000.00000002.383708264.0000000001AA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrito
        Source: INV.exe, 00000000.00000002.383708264.0000000001AA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: dera31.ddns.net
        Source: INV.exe, 00000000.00000002.380337690.0000000001689000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: dhcpmon.exe, 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.403458d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.402ff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.403458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.402ff64.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.304965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.402ff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.402ff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.403458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.403458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.402ff64.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.402ff64.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.304965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.304965c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01676E70
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0167CAD4
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0167EF0B
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0167EF18
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01676E5F
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_07EC12F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B86E70
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B8CAD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B86E5F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B8EF18
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B8EF0A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_06C812F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02FCE480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02FCE471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02FCBBD4
        Source: INV.exe, 00000000.00000002.380337690.0000000001689000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INV.exe
        Source: INV.exe, 00000000.00000002.390578971.0000000007D10000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs INV.exe
        Source: INV.exe, 00000000.00000002.378068270.000000000105A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFORMATFLA.exeB vs INV.exe
        Source: INV.exe, 00000000.00000002.384059989.0000000003361000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs INV.exe
        Source: INV.exe, 00000004.00000000.376009671.0000000000A4A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFORMATFLA.exeB vs INV.exe
        Source: INV.exeBinary or memory string: OriginalFilenameFORMATFLA.exeB vs INV.exe
        Source: INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: INV.exeReversingLabs: Detection: 20%
        Source: C:\Users\user\Desktop\INV.exeFile read: C:\Users\user\Desktop\INV.exeJump to behavior
        Source: INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\INV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\INV.exe "C:\Users\user\Desktop\INV.exe"
        Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\INV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@18/2
        Source: 4.0.INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.0.INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 4.0.INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.0.INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\INV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f4157c11-54e5-4893-8a60-6856b8471d8c}
        Source: C:\Users\user\Desktop\INV.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\INV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: INV.exe, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.2.INV.exe.fd0000.0.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.0.INV.exe.fd0000.0.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: dhcpmon.exe.4.dr, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.9c0000.2.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.9c0000.7.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.0.INV.exe.9c0000.3.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.INV.exe.9c0000.0.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.0.INV.exe.9c0000.1.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 4.0.INV.exe.9c0000.5.unpack, ObjectHolderList/ObjectHolderListGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_00FD4FCF pushad ; ret
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0167D238 push 3C0584CFh; iretd
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_058E744D push edi; retf
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_058E745A push ebx; ret
        Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_07EC430D push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00474FCF pushad ; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B8D238 push 3C010ECFh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B81C7B push ebx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00B81C67 push ebx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02A3744D push edi; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_02A3745A push ebx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_06C80FEB push es; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_06C84300 push dword ptr [edx+ebp*2-75h]; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00BE4FCF pushad ; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90207517274
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90207517274
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.0.INV.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.0.INV.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.0.INV.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.0.INV.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.0.INV.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.0.INV.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.0.INV.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\INV.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\INV.exeFile opened: C:\Users\user\Desktop\INV.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\INV.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 8.2.dhcpmon.exe.2aaa668.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.338a614.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.384059989.0000000003361000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: INV.exe, 00000000.00000002.384059989.0000000003361000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: INV.exe, 00000000.00000002.384059989.0000000003361000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\INV.exe TID: 7076Thread sleep time: -35432s >= -30000s
        Source: C:\Users\user\Desktop\INV.exe TID: 7100Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\INV.exe TID: 6296Thread sleep time: -11068046444225724s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3032Thread sleep time: -39940s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3224Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6928Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\INV.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\INV.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\INV.exeWindow / User API: threadDelayed 3311
        Source: C:\Users\user\Desktop\INV.exeWindow / User API: threadDelayed 5778
        Source: C:\Users\user\Desktop\INV.exeWindow / User API: foregroundWindowGot 637
        Source: C:\Users\user\Desktop\INV.exeWindow / User API: foregroundWindowGot 743
        Source: C:\Users\user\Desktop\INV.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\INV.exeThread delayed: delay time: 35432
        Source: C:\Users\user\Desktop\INV.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\INV.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 39940
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: dhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\INV.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\INV.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Users\user\Desktop\INV.exe VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Users\user\Desktop\INV.exe VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.403458d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: INV.exe, 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: INV.exe, 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.403458d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.0.INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402ff64.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.402b12e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.4539700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INV.exe.445fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3c59700.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3b7fc20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 7072, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INV.exe PID: 6488, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5236, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6988, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection11Masquerading2Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        INV.exe20%ReversingLabsByteCode-MSIL.Trojan.Taskun
        INV.exe100%AviraHEUR/AGEN.1141888

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraHEUR/AGEN.1141888
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe20%ReversingLabsByteCode-MSIL.Trojan.Taskun

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        11.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.0.INV.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.0.INV.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.0.INV.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.0.INV.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.0.INV.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        dera31.ddns.net6%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        dera31.ddns.net6%VirustotalBrowse
        dera31.ddns.net0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.chinhdo.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        195.133.18.2115%VirustotalBrowse
        195.133.18.2110%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dera31.ddns.net
        		194.85.248.250
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        dera31.ddns.nettrue
        • 6%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        195.133.18.211true
        • 5%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
          		high
          http://www.fontbureau.comINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.tiro.comINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cTheINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.commINV.exe, 00000000.00000002.383708264.0000000001AA7000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8INV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comgritoINV.exe, 00000000.00000002.383708264.0000000001AA7000.00000004.00000040.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.chinhdo.comdhcpmon.exe, 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.comINV.exe, 00000000.00000002.389041643.00000000074B2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            194.85.248.250
                            		dera31.ddns.netRussian Federation
                            		35478DATACENTERROtrue

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:527765
                            Start date:24.11.2021
                            Start time:11:39:21
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 10m 52s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:INV.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@6/8@18/2
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 0.9% (good quality ratio 0.4%)
                            • Quality average: 24.5%
                            • Quality standard deviation: 32.6%
                            HCA Information:
                            • Successful, ratio: 92%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • TCP Packets have been reduced to 100
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, dual-a-0001.dc-msedge.net, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:40:33API Interceptor886x Sleep call for process: INV.exe modified
                            11:40:45AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            11:40:59API Interceptor1x Sleep call for process: dhcpmon.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            194.85.248.250CV.exeGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              dera31.ddns.netCV.exeGet hashmaliciousBrowse
                              • 194.85.248.250
                              circular_11_17_21.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              Bank Report.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              cliff.kuhfeldt's CV.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              Jessica Ohnesorge'CV.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              Change Of Registration Form.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              Payment invoice.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              Wire Transfer Slip.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              Advise.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              Bank Report.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              N5HlpHINh2.exeGet hashmaliciousBrowse
                              • 195.133.18.211
                              BL draft.exeGet hashmaliciousBrowse
                              • 195.133.18.211

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              DATACENTERROCV.exeGet hashmaliciousBrowse
                              • 194.85.248.250
                              TMR590241368.exeGet hashmaliciousBrowse
                              • 194.85.248.115
                              vIyyHkRXJnGet hashmaliciousBrowse
                              • 194.85.250.154
                              267A80yAhpGet hashmaliciousBrowse
                              • 194.85.250.154
                              QJYxAALd23Get hashmaliciousBrowse
                              • 194.85.250.154
                              z4bJfjXDDQGet hashmaliciousBrowse
                              • 194.85.250.154
                              XXaLHoecGpGet hashmaliciousBrowse
                              • 194.85.250.154
                              AGiCic4uDzGet hashmaliciousBrowse
                              • 194.85.250.154
                              3B3BMxYG8nGet hashmaliciousBrowse
                              • 194.85.250.154
                              6WMo1OYmk3Get hashmaliciousBrowse
                              • 194.85.250.154
                              dycuTng5W8Get hashmaliciousBrowse
                              • 194.85.250.154
                              xINX4f5M8sGet hashmaliciousBrowse
                              • 194.85.250.154
                              SSIuSyaBAFGet hashmaliciousBrowse
                              • 194.85.250.154
                              IMG600094173852.exeGet hashmaliciousBrowse
                              • 194.85.248.115
                              cdQc14SeRuGet hashmaliciousBrowse
                              • 194.85.248.128
                              t5dIUw7hghGet hashmaliciousBrowse
                              • 194.85.248.128
                              9hYMlirC3xGet hashmaliciousBrowse
                              • 194.85.248.128
                              qd7I0rgtfUGet hashmaliciousBrowse
                              • 194.85.248.128
                              aKU4GDKdTZGet hashmaliciousBrowse
                              • 194.85.248.128
                              oGszHCs1c7Get hashmaliciousBrowse
                              • 194.85.248.128

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Process:C:\Users\user\Desktop\INV.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):553472
                              Entropy (8bit):7.892995395638637
                              Encrypted:false
                              SSDEEP:12288:tOL/Mq/d/xj06PDRQtc0DEt1G2AjKVUhCX+U3/4sQ+5C5xw:tOLUm/mWDk+RA+qgXF/4sQ+U5
                              MD5:9D64FA92CE93C242C09947E6A0A892A6
                              SHA1:463C942E70FEE74AEF894C0DA58277C884D8C6BD
                              SHA-256:E6A01CE5B7532B69A312FEE870B244D1DF1A6CAC00551981C850CE38EDC79AF5
                              SHA-512:92AAA8E0BABD8B19264D9F4BAB511FEF60B64BC4E54E6D6F65010D4545F9D8670933A22121C0BA2EE54D61C66F63769BA971FD4C1F38CE6497CA8BB6DCCAE61A
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 20%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..a..............0..h..........>.... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...Df... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B................ .......H.......X>...G......o.......Ho..........................................................................................................................................?.......B........................0..........*....0........... .... .".+a%....^E....F...................u.......\.......8.......i/. P*.$%+. .U.6%&+..........X. ..T#+..o........ uC..Z .0..a+...... ....Z .+!Da8o...s....... '..Z ..>-a8V....... ..>GZ #.wa8A...r...p(....... ..Z 3Z."a8#.....*...0...........r...p.
                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\INV.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV.exe.log
                              Process:C:\Users\user\Desktop\INV.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.355304211458859
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.355304211458859
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                              Process:C:\Users\user\Desktop\INV.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):232
                              Entropy (8bit):7.117516745217376
                              Encrypted:false
                              SSDEEP:6:X4LDAnybgCFcpJSQwP4d7V9Nhyleajl0fuONKcpMe5i:X4LEnybgCFCtvd7V9NYRj+GONKaMv
                              MD5:CF55DF705B79F961ED069D8E84D2AF1C
                              SHA1:574CDF36753CF356A25872BCCAA3CC6FFCD5D23F
                              SHA-256:DF982E10764D21FCB1469EB6EA1175AC69544C68900B0DD8C79A0FE8A8F300F5
                              SHA-512:518A037DF1D6FBC8A296DA5B96B67E073FB1F674090AFE3243E52A65B169DE35FC041C2C05F7EEF9EC74A0100A422E53B3D7D920E5ADF6CE42B82FE94244F5DE
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL...Q.F...@.h.......y.[....e..<..n....B...PP...azZ).~..Uj.>..H.b.O..AX.E.S&.O.k.3O'.Lge...$..teI....Hw.CT.].Z.
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                              Process:C:\Users\user\Desktop\INV.exe
                              File Type:Non-ISO extended-ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:bnt:p
                              MD5:B67F236CCBDD808687AB1ED303277371
                              SHA1:A7F2A003B809BE7AEC847182F7A8E32E1A69927D
                              SHA-256:54D51090990EA722925865E229CEC4ACA47400D75F98803D004B2E2F52E86247
                              SHA-512:4F53EBEC74CF58ED08C623FE2ABD36000297C162EDDCD27D284A31E57E1AB3A0ECEE1DDA76B936C069CF869D40B6E84C4BFF03B122665DF912CA097CF091ABD2
                              Malicious:true
                              Reputation:low
                              Preview: B.:L...H
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                              Process:C:\Users\user\Desktop\INV.exe
                              File Type:data
                              Category:modified
                              Size (bytes):40
                              Entropy (8bit):5.153055907333276
                              Encrypted:false
                              SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                              MD5:4E5E92E2369688041CC82EF9650EDED2
                              SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                              SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                              SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                              Process:C:\Users\user\Desktop\INV.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):315080
                              Entropy (8bit):7.999403263872478
                              Encrypted:true
                              SSDEEP:6144:m8aeVE5MlgWfxwY/8uvJYRDMVpXUhXQrEBPgzC2D4Toqhs22DJM+iaPnW:mfwiMdxwYEYyWzw0TqC2kM+lnW
                              MD5:981C80683A41E2D9DD9C297DAA691C54
                              SHA1:7A1F5DDFFB3E630FE19E19F6AA923427DE72217B
                              SHA-256:6C67B680BB9CF41F30C37D791D9EE52582977C1D9D5696FEAE1613FC0C5E2DBE
                              SHA-512:72E4198AE2A65B7E1698925DF537CBA63A2877677C7C8FEA475E52B99E631272CFBEDCD5A4E1949EB7F8073C01229E89CCCD1ABBFD8832533346A6568750ADAE
                              Malicious:false
                              Preview: ..f# ....)1\*.....5....;.T..u.. .3.Xd... ....u(..._.V.{L..Y.8....~...S79.f0V...=.}...SJg|.lh.J..^Ge.........3h?n..:..r....,o."a.I....\..0Z.D..........^....[..f.I....@/_..".5+...I...J`./s..p-.....c..?...*.. .&.....>.Ye$=.pG.....9D...'7.w.a.[3.d.-..V..]..B.b.zA?..M..3...%A....K5@.. j.U.h.B....'...0."..u.V...d..c,r"..@9.9.>..cDgP~d9..St...{..24.s.'.....9.D..P4.....I...G..G5......u.-2...z1[.....C..n.6.!..'.%@&.l4..P..rc+vq..C5B.b*..j.W,..T..z......)BX4...>A.*~#..A....8..B....5....w....GC..........y......7...?.T.....!.....7A.........C.3......A.....hC..5'..42..zS.*2.m7....A.'/.R..X....}e...>........}...n.A...4..?.P.l..n.0.I`...".d1.(e|..f.....i.9.#...n..+..l....Xz.q...6".Hl...+...1^pgs...%.FR.T....(...=.rHX.d.9%...?..f?.Q.yi.D9/>....V..5......q...nP'...S.Y.....pu.!..-..\..|/....V.......NX....../.8..V.0.5`m$.{b..lw.K.3-..C3...-.2.Qb.....o...6z....`H...(..o.ag.-7../F..RoI..O#.u|.U.@....$;.....s.~.M...j?...q#.l..y..M.[../.....=T.......5HX.QJ...

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.892995395638637
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:INV.exe
                              File size:553472
                              MD5:9d64fa92ce93c242c09947e6a0a892a6
                              SHA1:463c942e70fee74aef894c0da58277c884d8c6bd
                              SHA256:e6a01ce5b7532b69a312fee870b244d1df1a6cac00551981c850ce38edc79af5
                              SHA512:92aaa8e0babd8b19264d9f4bab511fef60b64bc4e54e6d6f65010d4545f9d8670933a22121c0ba2ee54d61c66f63769ba971fd4c1f38ce6497ca8bb6dccae61a
                              SSDEEP:12288:tOL/Mq/d/xj06PDRQtc0DEt1G2AjKVUhCX+U3/4sQ+5C5xw:tOLUm/mWDk+RA+qgXF/4sQ+U5
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..a..............0..h..........>.... ........@.. ....................................@................................

                              File Icon

                              Icon Hash:00828e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x48863e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x619DE066 [Wed Nov 24 06:49:10 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x885e40x57.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x600.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x866440x86800False0.923913438081data7.90207517274IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x8a0000x6000x600False0.455078125data4.26873788537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_VERSION0x8a0a00x370data
                              RT_MANIFEST0x8a4100x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyright Real Estate LTD
                              Assembly Version2.9.0.0
                              InternalNameFORMATFLA.exe
                              FileVersion2.8.2.0
                              CompanyNameBuena Vista Realty Service
                              LegalTrademarks
                              Comments
                              ProductNameObjectHolderList
                              ProductVersion2.8.2.0
                              FileDescriptionObjectHolderList
                              OriginalFilenameFORMATFLA.exe

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              11/24/21-11:40:43.693178UDP254DNS SPOOF query response with TTL of 1 min. and no authority53620448.8.8.8192.168.2.6
                              11/24/21-11:40:55.238234UDP254DNS SPOOF query response with TTL of 1 min. and no authority53494488.8.8.8192.168.2.6
                              11/24/21-11:41:00.517317UDP254DNS SPOOF query response with TTL of 1 min. and no authority53603428.8.8.8192.168.2.6
                              11/24/21-11:41:11.773479UDP254DNS SPOOF query response with TTL of 1 min. and no authority53583848.8.8.8192.168.2.6
                              11/24/21-11:41:24.716787UDP254DNS SPOOF query response with TTL of 1 min. and no authority53537818.8.8.8192.168.2.6
                              11/24/21-11:41:36.939954UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500108.8.8.8192.168.2.6
                              11/24/21-11:41:55.338434UDP254DNS SPOOF query response with TTL of 1 min. and no authority53622088.8.8.8192.168.2.6
                              11/24/21-11:42:07.300908UDP254DNS SPOOF query response with TTL of 1 min. and no authority53566288.8.8.8192.168.2.6
                              11/24/21-11:42:14.530221UDP254DNS SPOOF query response with TTL of 1 min. and no authority53607788.8.8.8192.168.2.6
                              11/24/21-11:42:26.568735UDP254DNS SPOOF query response with TTL of 1 min. and no authority53546838.8.8.8192.168.2.6

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 24, 2021 11:40:43.712908983 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:43.741384983 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:43.741554976 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:43.831315994 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:43.873809099 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:43.920450926 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:43.987067938 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.015316963 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.017401934 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.126719952 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.268603086 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.399573088 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.399620056 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.399648905 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.399677038 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.399734974 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.399771929 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.427073002 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427139997 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427177906 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427208900 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427243948 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427272081 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.427277088 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427295923 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.427333117 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.427390099 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427428007 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.427596092 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.455275059 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455315113 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455343008 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455364943 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455387115 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455406904 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455427885 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455450058 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455476046 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455506086 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455533981 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455559015 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455586910 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455612898 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455638885 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455666065 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.455898046 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484093904 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484133005 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484160900 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484185934 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484214067 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484241009 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484261990 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484270096 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484285116 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484297991 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484324932 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484349012 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484358072 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484369040 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484375954 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484400034 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484421968 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484445095 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484452009 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484467030 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484472036 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484483004 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484497070 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484522104 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484545946 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484568119 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484572887 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484591007 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.484612942 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.484639883 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.511961937 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.511986971 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512003899 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512021065 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512037992 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512056112 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512075901 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512094975 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512110949 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512115002 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.512129068 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512144089 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.512150049 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512151957 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.512160063 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.512168884 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512171030 CET497531187192.168.2.6194.85.248.250
                              Nov 24, 2021 11:40:44.512187004 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512206078 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512223005 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512240887 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512258053 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512274981 CET118749753194.85.248.250192.168.2.6
                              Nov 24, 2021 11:40:44.512279034 CET497531187192.168.2.6194.85.248.250

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 24, 2021 11:40:43.669563055 CET6204453192.168.2.68.8.8.8
                              Nov 24, 2021 11:40:43.693177938 CET53620448.8.8.8192.168.2.6
                              Nov 24, 2021 11:40:50.424350977 CET6379153192.168.2.68.8.8.8
                              Nov 24, 2021 11:40:50.444122076 CET53637918.8.8.8192.168.2.6
                              Nov 24, 2021 11:40:55.217364073 CET4944853192.168.2.68.8.8.8
                              Nov 24, 2021 11:40:55.238234043 CET53494488.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:00.488914013 CET6034253192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:00.517317057 CET53603428.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:06.762356997 CET6134653192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:06.782207966 CET53613468.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:11.752306938 CET5838453192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:11.773478985 CET53583848.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:17.746325970 CET6026153192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:17.766179085 CET53602618.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:24.693977118 CET5378153192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:24.716787100 CET53537818.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:30.877182961 CET6374553192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:30.895451069 CET53637458.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:36.918418884 CET5001053192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:36.939954042 CET53500108.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:43.336577892 CET6211653192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:43.356537104 CET53621168.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:49.437659025 CET5501453192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:49.455307961 CET53550148.8.8.8192.168.2.6
                              Nov 24, 2021 11:41:55.319106102 CET6220853192.168.2.68.8.8.8
                              Nov 24, 2021 11:41:55.338433981 CET53622088.8.8.8192.168.2.6
                              Nov 24, 2021 11:42:02.210747957 CET5181853192.168.2.68.8.8.8
                              Nov 24, 2021 11:42:02.228897095 CET53518188.8.8.8192.168.2.6
                              Nov 24, 2021 11:42:07.276382923 CET5662853192.168.2.68.8.8.8
                              Nov 24, 2021 11:42:07.300908089 CET53566288.8.8.8192.168.2.6
                              Nov 24, 2021 11:42:14.507567883 CET6077853192.168.2.68.8.8.8
                              Nov 24, 2021 11:42:14.530220985 CET53607788.8.8.8192.168.2.6
                              Nov 24, 2021 11:42:20.570477009 CET5379953192.168.2.68.8.8.8
                              Nov 24, 2021 11:42:20.592962027 CET53537998.8.8.8192.168.2.6
                              Nov 24, 2021 11:42:26.549261093 CET5468353192.168.2.68.8.8.8
                              Nov 24, 2021 11:42:26.568734884 CET53546838.8.8.8192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Nov 24, 2021 11:40:43.669563055 CET192.168.2.68.8.8.80xb92cStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:40:50.424350977 CET192.168.2.68.8.8.80x60b7Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:40:55.217364073 CET192.168.2.68.8.8.80x2f78Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:00.488914013 CET192.168.2.68.8.8.80x673eStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:06.762356997 CET192.168.2.68.8.8.80xe54eStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:11.752306938 CET192.168.2.68.8.8.80x1451Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:17.746325970 CET192.168.2.68.8.8.80x66aaStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:24.693977118 CET192.168.2.68.8.8.80xe18eStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:30.877182961 CET192.168.2.68.8.8.80x376cStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:36.918418884 CET192.168.2.68.8.8.80x23c8Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:43.336577892 CET192.168.2.68.8.8.80x1f37Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:49.437659025 CET192.168.2.68.8.8.80x5e3fStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:55.319106102 CET192.168.2.68.8.8.80xbb7dStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:02.210747957 CET192.168.2.68.8.8.80x604eStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:07.276382923 CET192.168.2.68.8.8.80xa6cfStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:14.507567883 CET192.168.2.68.8.8.80x812bStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:20.570477009 CET192.168.2.68.8.8.80xa47aStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:26.549261093 CET192.168.2.68.8.8.80x909bStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Nov 24, 2021 11:40:43.693177938 CET8.8.8.8192.168.2.60xb92cNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:40:50.444122076 CET8.8.8.8192.168.2.60x60b7No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:40:55.238234043 CET8.8.8.8192.168.2.60x2f78No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:00.517317057 CET8.8.8.8192.168.2.60x673eNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:06.782207966 CET8.8.8.8192.168.2.60xe54eNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:11.773478985 CET8.8.8.8192.168.2.60x1451No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:17.766179085 CET8.8.8.8192.168.2.60x66aaNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:24.716787100 CET8.8.8.8192.168.2.60xe18eNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:30.895451069 CET8.8.8.8192.168.2.60x376cNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:36.939954042 CET8.8.8.8192.168.2.60x23c8No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:43.356537104 CET8.8.8.8192.168.2.60x1f37No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:49.455307961 CET8.8.8.8192.168.2.60x5e3fNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:41:55.338433981 CET8.8.8.8192.168.2.60xbb7dNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:02.228897095 CET8.8.8.8192.168.2.60x604eNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:07.300908089 CET8.8.8.8192.168.2.60xa6cfNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:14.530220985 CET8.8.8.8192.168.2.60x812bNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:20.592962027 CET8.8.8.8192.168.2.60xa47aNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                              Nov 24, 2021 11:42:26.568734884 CET8.8.8.8192.168.2.60x909bNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: INV.exe PID: 7072 Parent PID: 5084

                              General

                              Start time:11:40:22
                              Start date:24/11/2021
                              Path:C:\Users\user\Desktop\INV.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\INV.exe"
                              Imagebase:0xfd0000
                              File size:553472 bytes
                              MD5 hash:9D64FA92CE93C242C09947E6A0A892A6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.384059989.0000000003361000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.386415183.0000000004369000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: INV.exe PID: 6488 Parent PID: 7072

                              General

                              Start time:11:40:34
                              Start date:24/11/2021
                              Path:C:\Users\user\Desktop\INV.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\INV.exe
                              Imagebase:0x9c0000
                              File size:553472 bytes
                              MD5 hash:9D64FA92CE93C242C09947E6A0A892A6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.375140758.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.374658891.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.374169564.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.375865936.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Analysis Process: dhcpmon.exe PID: 5236 Parent PID: 3440

                              General

                              Start time:11:40:53
                              Start date:24/11/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                              Imagebase:0x470000
                              File size:553472 bytes
                              MD5 hash:9D64FA92CE93C242C09947E6A0A892A6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.440793413.0000000003A89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.438460036.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 20%, ReversingLabs
                              Reputation:low

                              Analysis Process: dhcpmon.exe PID: 6988 Parent PID: 5236

                              General

                              Start time:11:41:01
                              Start date:24/11/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Imagebase:0xbe0000
                              File size:553472 bytes
                              MD5 hash:9D64FA92CE93C242C09947E6A0A892A6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.452804151.0000000002FE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.432448182.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.435107271.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.452888597.0000000003FE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.451682758.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.434333489.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.433501662.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Disassembly

                              Code Analysis

                              Reset < >