Windows Analysis Report INFORMATION CONFIRMATION LIST.exe

Overview

General Information

Sample Name: INFORMATION CONFIRMATION LIST.exe
Analysis ID: 552379
MD5: 6c6b35176645588b4b9a12b22b373acb
SHA1: 4c6da16811cb1f8c4877c34e517a4839d0d118e8
SHA256: 2a599c2395394c8a00d1689e9ca6c2481062ebb70c02c905562e68d7087b875c
Tags: exenanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: INFORMATION CONFIRMATION LIST.exe Virustotal: Detection: 27% Perma Link
Source: INFORMATION CONFIRMATION LIST.exe ReversingLabs: Detection: 32%
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Virustotal: Detection: 27% Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 32%
Yara detected Nanocore RAT
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR
Machine Learning detection for sample
Source: INFORMATION CONFIRMATION LIST.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack Avira: Label: TR/NanoCore.fadte
Source: 27.0.dhcpmon.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: INFORMATION CONFIRMATION LIST.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: INFORMATION CONFIRMATION LIST.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Uses dynamic DNS services
Source: unknown DNS query: name: kashbilly.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49754 -> 197.211.59.104:6060
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.263941042.00000000018C7000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comttv
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: kashbilly.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.263697343.000000000152B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.30a9658.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.3139658.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Uses 32bit PE files
Source: INFORMATION CONFIRMATION LIST.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.30a9658.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.30a9658.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.3139658.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.3139658.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Detected potential crypto function
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 0_2_0311E6B0 0_2_0311E6B0
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 0_2_0311C284 0_2_0311C284
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 0_2_0311E6AB 0_2_0311E6AB
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 1_2_02B9E480 1_2_02B9E480
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 1_2_02B9E471 1_2_02B9E471
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 1_2_02B9BBD4 1_2_02B9BBD4
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 1_2_06640040 1_2_06640040
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 8_2_015CE6B0 8_2_015CE6B0
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 8_2_015CC284 8_2_015CC284
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 8_2_015CE6A2 8_2_015CE6A2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_02E2E6B0 13_2_02E2E6B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_02E2C284 13_2_02E2C284
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_02E2E6AA 13_2_02E2E6AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_02E24569 13_2_02E24569
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F30040 13_2_08F30040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F35B68 13_2_08F35B68
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F38180 13_2_08F38180
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F38170 13_2_08F38170
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F3A118 13_2_08F3A118
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F383E8 13_2_08F383E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F383DB 13_2_08F383DB
Sample file is different than original file name gathered from version info
Source: INFORMATION CONFIRMATION LIST.exe Binary or memory string: OriginalFilename vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.263697343.000000000152B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000000.240622186.0000000000EC2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.269769736.00000000097C0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe Binary or memory string: OriginalFilename vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000000.256258556.00000000007D2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.527688505.0000000006600000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe Binary or memory string: OriginalFilename vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.299630429.000000000138A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.306356765.00000000073F0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.298844131.0000000000C32000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000012.00000000.288133600.00000000001A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000000.297862581.0000000000B72000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.323191417.000000000125A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: INFORMATION CONFIRMATION LIST.exe Virustotal: Detection: 27%
Source: INFORMATION CONFIRMATION LIST.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe File read: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Jump to behavior
Source: INFORMATION CONFIRMATION LIST.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe "C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe"
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe "C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe" 0
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INFORMATION CONFIRMATION LIST.exe.log Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe File created: C:\Users\user\AppData\Local\Temp\tmp820C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@24/8@7/1
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{51e297f7-7758-4d32-86af-0aafa20a3f56}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: INFORMATION CONFIRMATION LIST.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: INFORMATION CONFIRMATION LIST.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: INFORMATION CONFIRMATION LIST.exe, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.ec0000.0.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.1.dr, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.9.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.0.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.5.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.3.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.7d0000.1.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.11.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.7.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.2.unpack, Auto_Machine/AutoMachine.cs .Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: INFORMATION CONFIRMATION LIST.exe, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.ec0000.0.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: dhcpmon.exe.1.dr, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.9.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.0.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.5.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.3.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.7d0000.1.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.11.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.7.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.2.unpack, Auto_Machine/AutoMachine.cs .Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 0_2_00EC76EA push es; ret 0_2_00EC7F94
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 0_2_09683B4D push FFFFFF8Bh; iretd 0_2_09683B4F
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 0_2_09683A52 push dword ptr [ebx+ebp-75h]; iretd 0_2_09683A5D
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 1_2_007D76EA push es; ret 1_2_007D7F94
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 8_2_00C376EA push es; ret 8_2_00C37F94
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 8_2_071B3C0D push FFFFFF8Bh; iretd 8_2_071B3C0F
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Code function: 8_2_071B3B12 push dword ptr [ebx+ebp-75h]; iretd 8_2_071B3B1D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_00BE76EA push es; ret 13_2_00BE7F94
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_07213C0D push FFFFFF8Bh; iretd 13_2_07213C0F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_07213B12 push dword ptr [ebx+ebp-75h]; iretd 13_2_07213B1D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_08F3D9F8 push es; ret 13_2_08F3D9F9
Source: initial sample Static PE information: section name: .text entropy: 7.66243187306
Source: initial sample Static PE information: section name: .text entropy: 7.66243187306
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe File opened: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 16.2.dhcpmon.exe.2911e34.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.308b954.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.3021e48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.32c1e84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.3051e84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.297b940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.30bba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.332ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 6016 Thread sleep time: -33320s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 4320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 4308 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 6032 Thread sleep time: -35080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 5712 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3560 Thread sleep time: -33874s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5724 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5780 Thread sleep time: -34374s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6128 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 6184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6308 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6444 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Window / User API: threadDelayed 4715 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Window / User API: threadDelayed 4754 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Window / User API: foregroundWindowGot 848 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 33320 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 35080 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 33874 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 34374 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp Binary or memory string: vmware
Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Memory written: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Memory written: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522014006.0000000003300000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.519294102.0000000002DFD000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.521705733.000000000302F000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522036495.000000000330C000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522077860.000000000333A000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.527957291.0000000006B4D000.00000004.00000010.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.521868372.00000000031BC000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.520798752.0000000002EA7000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526501260.000000000604B000.00000004.00000010.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522102865.000000000334A000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526663527.00000000062BD000.00000004.00000010.sdmp Binary or memory string: Program Manager
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.521705733.000000000302F000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.520798752.0000000002EA7000.00000004.00000001.sdmp Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552379 Sample: INFORMATION CONFIRMATION LIST.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 54 kashbilly.ddns.net 2->54 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 12 other signatures 2->64 9 INFORMATION CONFIRMATION LIST.exe 3 2->9         started        13 dhcpmon.exe 3 2->13         started        15 dhcpmon.exe 2 2->15         started        17 INFORMATION CONFIRMATION LIST.exe 2 2->17         started        signatures3 process4 file5 52 C:\...\INFORMATION CONFIRMATION LIST.exe.log, ASCII 9->52 dropped 68 Injects a PE file into a foreign processes 9->68 19 INFORMATION CONFIRMATION LIST.exe 1 12 9->19         started        24 dhcpmon.exe 13->24         started        26 dhcpmon.exe 13->26         started        28 dhcpmon.exe 15->28         started        30 dhcpmon.exe 15->30         started        32 INFORMATION CONFIRMATION LIST.exe 2 17->32         started        34 INFORMATION CONFIRMATION LIST.exe 17->34         started        signatures6 process7 dnsIp8 56 kashbilly.ddns.net 197.211.59.104, 6060 globacom-asNG Nigeria 19->56 44 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->44 dropped 46 C:\Users\user\AppData\Roaming\...\run.dat, data 19->46 dropped 48 C:\Users\user\AppData\Local\...\tmp820C.tmp, XML 19->48 dropped 50 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->50 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->66 36 schtasks.exe 1 19->36         started        38 schtasks.exe 1 19->38         started        file9 signatures10 process11 process12 40 conhost.exe 36->40         started        42 conhost.exe 38->42         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
197.211.59.104
 kashbilly.ddns.net Nigeria
37148 globacom-asNG false

Contacted Domains

Name IP Active
kashbilly.ddns.net 197.211.59.104 true