Play interactive tour

Edit tour

Windows Analysis Report INFORMATION CONFIRMATION LIST.exe

Overview

General Information

Sample Name:	INFORMATION CONFIRMATION LIST.exe
Analysis ID:	552379
MD5:	6c6b35176645588b4b9a12b22b373acb
SHA1:	4c6da16811cb1f8c4877c34e517a4839d0d118e8
SHA256:	2a599c2395394c8a00d1689e9ca6c2481062ebb70c02c905562e68d7087b875c
Tags:	exenanocore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

INFORMATION CONFIRMATION LIST.exe (PID: 5944 cmdline: "C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe" MD5: 6C6B35176645588B4B9A12B22B373ACB)

INFORMATION CONFIRMATION LIST.exe (PID: 5760 cmdline: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe MD5: 6C6B35176645588B4B9A12B22B373ACB)

schtasks.exe (PID: 4624 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4528 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

INFORMATION CONFIRMATION LIST.exe (PID: 4532 cmdline: "C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe" 0 MD5: 6C6B35176645588B4B9A12B22B373ACB)

INFORMATION CONFIRMATION LIST.exe (PID: 5128 cmdline: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe MD5: 6C6B35176645588B4B9A12B22B373ACB)

INFORMATION CONFIRMATION LIST.exe (PID: 4860 cmdline: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe MD5: 6C6B35176645588B4B9A12B22B373ACB)

dhcpmon.exe (PID: 1400 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 6C6B35176645588B4B9A12B22B373ACB)

dhcpmon.exe (PID: 3000 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 6C6B35176645588B4B9A12B22B373ACB)

dhcpmon.exe (PID: 5344 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 6C6B35176645588B4B9A12B22B373ACB)

dhcpmon.exe (PID: 4404 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 6C6B35176645588B4B9A12B22B373ACB)

dhcpmon.exe (PID: 6208 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 6C6B35176645588B4B9A12B22B373ACB)

dhcpmon.exe (PID: 6280 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 6C6B35176645588B4B9A12B22B373ACB)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f5b4:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4356d:$a: NanoCore 0x435c6:$a: NanoCore 0x43603:$a: NanoCore 0x4367c:$a: NanoCore 0x56d27:$a: NanoCore 0x56d3c:$a: NanoCore 0x56d71:$a: NanoCore 0x6fd2b:$a: NanoCore 0x6fd40:$a: NanoCore 0x6fd75:$a: NanoCore 0x435cf:$b: ClientPlugin 0x4360c:$b: ClientPlugin 0x43f0a:$b: ClientPlugin 0x43f17:$b: ClientPlugin 0x56ae3:$b: ClientPlugin 0x56afe:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56d45:$b: ClientPlugin 0x56d7a:$b: ClientPlugin 0x6fae7:$b: ClientPlugin 0x6fb02:$b: ClientPlugin
00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x888b5:$x1: NanoCore.ClientPluginHost 0xbb4d5:$x1: NanoCore.ClientPluginHost 0xedef5:$x1: NanoCore.ClientPluginHost 0x888f2:$x2: IClientNetworkHost 0xbb512:$x2: IClientNetworkHost 0xedf32:$x2: IClientNetworkHost 0x8c425:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbf045:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf1a65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8861d:$a: NanoCore 0x8862d:$a: NanoCore 0x88861:$a: NanoCore 0x88875:$a: NanoCore 0x888b5:$a: NanoCore 0xbb23d:$a: NanoCore 0xbb24d:$a: NanoCore 0xbb481:$a: NanoCore 0xbb495:$a: NanoCore 0xbb4d5:$a: NanoCore 0xedc5d:$a: NanoCore 0xedc6d:$a: NanoCore 0xedea1:$a: NanoCore 0xedeb5:$a: NanoCore 0xedef5:$a: NanoCore 0x8867c:$b: ClientPlugin 0x8887e:$b: ClientPlugin 0x888be:$b: ClientPlugin 0xbb29c:$b: ClientPlugin 0xbb49e:$b: ClientPlugin 0xbb4de:$b: ClientPlugin
0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x888b5:$x1: NanoCore.ClientPluginHost 0xbb4d5:$x1: NanoCore.ClientPluginHost 0xedef5:$x1: NanoCore.ClientPluginHost 0x888f2:$x2: IClientNetworkHost 0xbb512:$x2: IClientNetworkHost 0xedf32:$x2: IClientNetworkHost 0x8c425:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbf045:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf1a65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8861d:$a: NanoCore 0x8862d:$a: NanoCore 0x88861:$a: NanoCore 0x88875:$a: NanoCore 0x888b5:$a: NanoCore 0xbb23d:$a: NanoCore 0xbb24d:$a: NanoCore 0xbb481:$a: NanoCore 0xbb495:$a: NanoCore 0xbb4d5:$a: NanoCore 0xedc5d:$a: NanoCore 0xedc6d:$a: NanoCore 0xedea1:$a: NanoCore 0xedeb5:$a: NanoCore 0xedef5:$a: NanoCore 0x8867c:$b: ClientPlugin 0x8887e:$b: ClientPlugin 0x888be:$b: ClientPlugin 0xbb29c:$b: ClientPlugin 0xbb49e:$b: ClientPlugin 0xbb4de:$b: ClientPlugin
00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4356d:$a: NanoCore 0x435c6:$a: NanoCore 0x43603:$a: NanoCore 0x4367c:$a: NanoCore 0x56d27:$a: NanoCore 0x56d3c:$a: NanoCore 0x56d71:$a: NanoCore 0x6fd2b:$a: NanoCore 0x6fd40:$a: NanoCore 0x6fd75:$a: NanoCore 0x435cf:$b: ClientPlugin 0x4360c:$b: ClientPlugin 0x43f0a:$b: ClientPlugin 0x43f17:$b: ClientPlugin 0x56ae3:$b: ClientPlugin 0x56afe:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56d45:$b: ClientPlugin 0x56d7a:$b: ClientPlugin 0x6fae7:$b: ClientPlugin 0x6fb02:$b: ClientPlugin
0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x888b5:$x1: NanoCore.ClientPluginHost 0xbb4d5:$x1: NanoCore.ClientPluginHost 0xedef5:$x1: NanoCore.ClientPluginHost 0x888f2:$x2: IClientNetworkHost 0xbb512:$x2: IClientNetworkHost 0xedf32:$x2: IClientNetworkHost 0x8c425:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbf045:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf1a65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8861d:$a: NanoCore 0x8862d:$a: NanoCore 0x88861:$a: NanoCore 0x88875:$a: NanoCore 0x888b5:$a: NanoCore 0xbb23d:$a: NanoCore 0xbb24d:$a: NanoCore 0xbb481:$a: NanoCore 0xbb495:$a: NanoCore 0xbb4d5:$a: NanoCore 0xedc5d:$a: NanoCore 0xedc6d:$a: NanoCore 0xedea1:$a: NanoCore 0xedeb5:$a: NanoCore 0xedef5:$a: NanoCore 0x8867c:$b: ClientPlugin 0x8887e:$b: ClientPlugin 0x888be:$b: ClientPlugin 0xbb29c:$b: ClientPlugin 0xbb49e:$b: ClientPlugin 0xbb4de:$b: ClientPlugin
00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4356d:$a: NanoCore 0x435c6:$a: NanoCore 0x43603:$a: NanoCore 0x4367c:$a: NanoCore 0x56d27:$a: NanoCore 0x56d3c:$a: NanoCore 0x56d71:$a: NanoCore 0x6fd2b:$a: NanoCore 0x6fd40:$a: NanoCore 0x6fd75:$a: NanoCore 0x435cf:$b: ClientPlugin 0x4360c:$b: ClientPlugin 0x43f0a:$b: ClientPlugin 0x43f17:$b: ClientPlugin 0x56ae3:$b: ClientPlugin 0x56afe:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56d45:$b: ClientPlugin 0x56d7a:$b: ClientPlugin 0x6fae7:$b: ClientPlugin 0x6fb02:$b: ClientPlugin
00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f5b4:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1256d:$a: NanoCore 0x125c6:$a: NanoCore 0x12603:$a: NanoCore 0x1267c:$a: NanoCore 0x25d27:$a: NanoCore 0x25d3c:$a: NanoCore 0x25d71:$a: NanoCore 0x3ed2b:$a: NanoCore 0x3ed40:$a: NanoCore 0x3ed75:$a: NanoCore 0x125cf:$b: ClientPlugin 0x1260c:$b: ClientPlugin 0x12f0a:$b: ClientPlugin 0x12f17:$b: ClientPlugin 0x25ae3:$b: ClientPlugin 0x25afe:$b: ClientPlugin 0x25b2e:$b: ClientPlugin 0x25d45:$b: ClientPlugin 0x25d7a:$b: ClientPlugin 0x3eae7:$b: ClientPlugin 0x3eb02:$b: ClientPlugin
00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x694cb:$a: NanoCore 0x69524:$a: NanoCore 0x69561:$a: NanoCore 0x695da:$a: NanoCore 0x6952d:$b: ClientPlugin 0x6956a:$b: ClientPlugin 0x69e68:$b: ClientPlugin 0x69e75:$b: ClientPlugin 0x5f648:$e: KeepAlive 0x699b5:$g: LogClientMessage 0x69935:$i: get_Connected 0x59901:$j: #=q 0x59931:$j: #=q 0x5996d:$j: #=q 0x59995:$j: #=q 0x599c5:$j: #=q 0x599f5:$j: #=q 0x59a25:$j: #=q 0x59a55:$j: #=q 0x59a71:$j: #=q 0x59aa1:$j: #=q
00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x888b5:$x1: NanoCore.ClientPluginHost 0xbb4d5:$x1: NanoCore.ClientPluginHost 0xedef5:$x1: NanoCore.ClientPluginHost 0x888f2:$x2: IClientNetworkHost 0xbb512:$x2: IClientNetworkHost 0xedf32:$x2: IClientNetworkHost 0x8c425:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbf045:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf1a65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8861d:$a: NanoCore 0x8862d:$a: NanoCore 0x88861:$a: NanoCore 0x88875:$a: NanoCore 0x888b5:$a: NanoCore 0xbb23d:$a: NanoCore 0xbb24d:$a: NanoCore 0xbb481:$a: NanoCore 0xbb495:$a: NanoCore 0xbb4d5:$a: NanoCore 0xedc5d:$a: NanoCore 0xedc6d:$a: NanoCore 0xedea1:$a: NanoCore 0xedeb5:$a: NanoCore 0xedef5:$a: NanoCore 0x8867c:$b: ClientPlugin 0x8887e:$b: ClientPlugin 0x888be:$b: ClientPlugin 0xbb29c:$b: ClientPlugin 0xbb49e:$b: ClientPlugin 0xbb4de:$b: ClientPlugin
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5349:$x1: NanoCore.ClientPluginHost 0x5386:$x2: IClientNetworkHost 0x8e77:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1fded:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2b151:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5016:$a: NanoCore 0x5026:$a: NanoCore 0x50e5:$a: NanoCore 0x50f4:$a: NanoCore 0x52f5:$a: NanoCore 0x5309:$a: NanoCore 0x5349:$a: NanoCore 0x10567:$a: NanoCore 0x10579:$a: NanoCore 0x105b5:$a: NanoCore 0x1c457:$a: NanoCore 0x1c469:$a: NanoCore 0x1c4a5:$a: NanoCore 0x277bb:$a: NanoCore 0x277cd:$a: NanoCore 0x27809:$a: NanoCore 0x5075:$b: ClientPlugin 0x513e:$b: ClientPlugin 0x5312:$b: ClientPlugin 0x5352:$b: ClientPlugin 0x10582:$b: ClientPlugin
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x261bd:$x1: NanoCore.ClientPluginHost 0x32481:$x1: NanoCore.ClientPluginHost 0x7d31e:$x1: NanoCore.ClientPluginHost 0xa4f45:$x1: NanoCore.ClientPluginHost 0xc1bbd:$x1: NanoCore.ClientPluginHost 0x261ea:$x2: IClientNetworkHost 0x324be:$x2: IClientNetworkHost 0x7d338:$x2: IClientNetworkHost 0xa4f5f:$x2: IClientNetworkHost 0xc1bd7:$x2: IClientNetworkHost 0x35faf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x41035:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x128a0:$a: NanoCore 0x26173:$a: NanoCore 0x26188:$a: NanoCore 0x261bd:$a: NanoCore 0x2b33f:$a: NanoCore 0x2b352:$a: NanoCore 0x2b384:$a: NanoCore 0x3214e:$a: NanoCore 0x3215e:$a: NanoCore 0x3221d:$a: NanoCore 0x3222c:$a: NanoCore 0x3242d:$a: NanoCore 0x32441:$a: NanoCore 0x32481:$a: NanoCore 0x3d69f:$a: NanoCore 0x3d6b1:$a: NanoCore 0x3d6ed:$a: NanoCore 0x7047d:$a: NanoCore 0x704d9:$a: NanoCore 0x70558:$a: NanoCore 0x7d288:$a: NanoCore
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6fd62:$x1: NanoCore.ClientPluginHost 0x6fd9f:$x2: IClientNetworkHost 0x73890:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7e916:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8a806:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x95b6a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6fa2f:$a: NanoCore 0x6fa3f:$a: NanoCore 0x6fafe:$a: NanoCore 0x6fb0d:$a: NanoCore 0x6fd0e:$a: NanoCore 0x6fd22:$a: NanoCore 0x6fd62:$a: NanoCore 0x7af80:$a: NanoCore 0x7af92:$a: NanoCore 0x7afce:$a: NanoCore 0x86e70:$a: NanoCore 0x86e82:$a: NanoCore 0x86ebe:$a: NanoCore 0x921d4:$a: NanoCore 0x921e6:$a: NanoCore 0x92222:$a: NanoCore 0x6fa8e:$b: ClientPlugin 0x6fb57:$b: ClientPlugin 0x6fd2b:$b: ClientPlugin 0x6fd6b:$b: ClientPlugin 0x7af9b:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 1400	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x53580:$x1: NanoCore.ClientPluginHost 0x535bd:$x2: IClientNetworkHost 0x570ae:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x62134:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6e024:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79388:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 1400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 1400	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 1400	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5324d:$a: NanoCore 0x5325d:$a: NanoCore 0x5331c:$a: NanoCore 0x5332b:$a: NanoCore 0x5352c:$a: NanoCore 0x53540:$a: NanoCore 0x53580:$a: NanoCore 0x5e79e:$a: NanoCore 0x5e7b0:$a: NanoCore 0x5e7ec:$a: NanoCore 0x6a68e:$a: NanoCore 0x6a6a0:$a: NanoCore 0x6a6dc:$a: NanoCore 0x759f2:$a: NanoCore 0x75a04:$a: NanoCore 0x75a40:$a: NanoCore 0x532ac:$b: ClientPlugin 0x53375:$b: ClientPlugin 0x53549:$b: ClientPlugin 0x53589:$b: ClientPlugin 0x5e7b9:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 4404	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfb04:$x1: NanoCore.ClientPluginHost 0xfb41:$x2: IClientNetworkHost 0x13632:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e6b8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2a5a8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3590c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 4404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 4404	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 4404	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf7d1:$a: NanoCore 0xf7e1:$a: NanoCore 0xf8a0:$a: NanoCore 0xf8af:$a: NanoCore 0xfab0:$a: NanoCore 0xfac4:$a: NanoCore 0xfb04:$a: NanoCore 0x1ad22:$a: NanoCore 0x1ad34:$a: NanoCore 0x1ad70:$a: NanoCore 0x26c12:$a: NanoCore 0x26c24:$a: NanoCore 0x26c60:$a: NanoCore 0x31f76:$a: NanoCore 0x31f88:$a: NanoCore 0x31fc4:$a: NanoCore 0xf830:$b: ClientPlugin 0xf8f9:$b: ClientPlugin 0xfacd:$b: ClientPlugin 0xfb0d:$b: ClientPlugin 0x1ad3d:$b: ClientPlugin
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a1a2:$x1: NanoCore.ClientPluginHost 0x3362e:$x1: NanoCore.ClientPluginHost 0x612fb:$x1: NanoCore.ClientPluginHost 0x1a1df:$x2: IClientNetworkHost 0x33648:$x2: IClientNetworkHost 0x61315:$x2: IClientNetworkHost 0x1dcd0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x28d56:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19e6f:$a: NanoCore 0x19e7f:$a: NanoCore 0x19f3e:$a: NanoCore 0x19f4d:$a: NanoCore 0x1a14e:$a: NanoCore 0x1a162:$a: NanoCore 0x1a1a2:$a: NanoCore 0x253c0:$a: NanoCore 0x253d2:$a: NanoCore 0x2540e:$a: NanoCore 0x33598:$a: NanoCore 0x335f1:$a: NanoCore 0x3362e:$a: NanoCore 0x336a7:$a: NanoCore 0x33f60:$a: NanoCore 0x33fb3:$a: NanoCore 0x33fec:$a: NanoCore 0x3405f:$a: NanoCore 0x3b631:$a: NanoCore 0x3b644:$a: NanoCore 0x3b676:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5344	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa7f1:$x1: NanoCore.ClientPluginHost 0x31c68:$x1: NanoCore.ClientPluginHost 0x5b429:$x1: NanoCore.ClientPluginHost 0xa82e:$x2: IClientNetworkHost 0x31c82:$x2: IClientNetworkHost 0x5b443:$x2: IClientNetworkHost 0xe31f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x193a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5344	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5344	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa4be:$a: NanoCore 0xa4ce:$a: NanoCore 0xa58d:$a: NanoCore 0xa59c:$a: NanoCore 0xa79d:$a: NanoCore 0xa7b1:$a: NanoCore 0xa7f1:$a: NanoCore 0x15a0f:$a: NanoCore 0x15a21:$a: NanoCore 0x15a5d:$a: NanoCore 0x2ccf3:$a: NanoCore 0x31bd2:$a: NanoCore 0x31c2b:$a: NanoCore 0x31c68:$a: NanoCore 0x31ce1:$a: NanoCore 0x3259a:$a: NanoCore 0x325ed:$a: NanoCore 0x32626:$a: NanoCore 0x32699:$a: NanoCore 0x39c6b:$a: NanoCore 0x39c7e:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6280	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf2fc:$x1: NanoCore.ClientPluginHost 0x3ccc5:$x1: NanoCore.ClientPluginHost 0x516e1:$x1: NanoCore.ClientPluginHost 0xf339:$x2: IClientNetworkHost 0x3ccdf:$x2: IClientNetworkHost 0x516fb:$x2: IClientNetworkHost 0x12e2a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1deb0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6280	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6280	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xefc9:$a: NanoCore 0xefd9:$a: NanoCore 0xf098:$a: NanoCore 0xf0a7:$a: NanoCore 0xf2a8:$a: NanoCore 0xf2bc:$a: NanoCore 0xf2fc:$a: NanoCore 0x1a51a:$a: NanoCore 0x1a52c:$a: NanoCore 0x1a568:$a: NanoCore 0x272b4:$a: NanoCore 0x27310:$a: NanoCore 0x27395:$a: NanoCore 0x3cc2f:$a: NanoCore 0x3cc88:$a: NanoCore 0x3ccc5:$a: NanoCore 0x3cd3e:$a: NanoCore 0x3d4cc:$a: NanoCore 0x3d51f:$a: NanoCore 0x3d558:$a: NanoCore 0x3d5cb:$a: NanoCore
Click to see the 123 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
24.2.dhcpmon.exe.30a9658.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
24.2.dhcpmon.exe.30a9658.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.dhcpmon.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.dhcpmon.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.dhcpmon.exe.4124bed.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
27.2.dhcpmon.exe.4124bed.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
27.2.dhcpmon.exe.4124bed.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.2911e34.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
27.2.dhcpmon.exe.411b78e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
27.2.dhcpmon.exe.411b78e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
27.2.dhcpmon.exe.411b78e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.dhcpmon.exe.411b78e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
27.2.dhcpmon.exe.41205c4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
27.2.dhcpmon.exe.41205c4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
27.2.dhcpmon.exe.41205c4.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.4094bed.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
24.2.dhcpmon.exe.4094bed.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
24.2.dhcpmon.exe.4094bed.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.0.dhcpmon.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.dhcpmon.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3901728.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3901728.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.3901728.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3901728.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
24.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.0.dhcpmon.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.dhcpmon.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.dhcpmon.exe.4011728.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.4011728.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.dhcpmon.exe.4011728.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.4011728.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
27.2.dhcpmon.exe.3139658.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
27.2.dhcpmon.exe.3139658.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.308b954.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
24.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.0.dhcpmon.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.dhcpmon.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.dhcpmon.exe.3021e48.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
27.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.dhcpmon.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.dhcpmon.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.dhcpmon.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.dhcpmon.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.dhcpmon.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.dhcpmon.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.INFORMATION CONFIRMATION LIST.exe.32c1e84.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
8.2.INFORMATION CONFIRMATION LIST.exe.3051e84.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.4044348.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.4044348.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.dhcpmon.exe.4044348.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.4044348.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.dhcpmon.exe.297b940.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
24.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.0.dhcpmon.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.dhcpmon.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.2.dhcpmon.exe.41205c4.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
27.2.dhcpmon.exe.41205c4.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
27.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.INFORMATION CONFIRMATION LIST.exe.30bba30.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
27.0.dhcpmon.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
27.2.dhcpmon.exe.41205c4.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.dhcpmon.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.dhcpmon.exe.40905c4.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
24.2.dhcpmon.exe.40905c4.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
24.2.dhcpmon.exe.40905c4.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.dhcpmon.exe.408b78e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5e7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d614:$x2: IClientNetworkHost
24.2.dhcpmon.exe.408b78e.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5e7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6c2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d601:$s5: IClientLoggingHost
24.2.dhcpmon.exe.408b78e.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.dhcpmon.exe.408b78e.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d59d:$a: NanoCore 0x2d5b2:$a: NanoCore 0x2d5e7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d359:$b: ClientPlugin 0x2d374:$b: ClientPlugin
0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
24.2.dhcpmon.exe.40905c4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
24.2.dhcpmon.exe.40905c4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
24.2.dhcpmon.exe.40905c4.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.0.dhcpmon.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.0.dhcpmon.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.INFORMATION CONFIRMATION LIST.exe.332ba30.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
16.2.dhcpmon.exe.3934348.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3934348.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.3934348.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3934348.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287b1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287de:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287b1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2988c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287cb:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24188:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241b5:$x2: IClientNetworkHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24188:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25263:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241a2:$s5: IClientLoggingHost
1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3934348.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3934348.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3934348.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x104b48:$c: ProjectData 0x168568:$c: ProjectData 0x10a82:$d: DESCrypto
8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x104b48:$c: ProjectData 0x168568:$c: ProjectData 0x10a82:$d: DESCrypto
16.2.dhcpmon.exe.3901728.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3901728.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3901728.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x104b48:$c: ProjectData 0x168568:$c: ProjectData 0x10a82:$d: DESCrypto
13.2.dhcpmon.exe.4044348.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.4044348.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.4044348.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x104b48:$c: ProjectData 0x168568:$c: ProjectData 0x10a82:$d: DESCrypto
8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
13.2.dhcpmon.exe.4011728.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.4011728.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.4011728.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
Click to see the 226 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe, ProcessId: 5760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Suspicius Add Task From User AppData Temp

Show sources

Source: Process started

Author: frack113: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe, ParentImage: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe, ParentProcessId: 5760, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp, ProcessId: 4624

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: INFORMATION CONFIRMATION LIST.exe	Virustotal: Detection: 27%			Perma Link
Source: INFORMATION CONFIRMATION LIST.exe	ReversingLabs: Detection: 32%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 27%			Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: INFORMATION CONFIRMATION LIST.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 27.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: INFORMATION CONFIRMATION LIST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: INFORMATION CONFIRMATION LIST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: kashbilly.ddns.net

Source: global traffic

TCP traffic: 192.168.2.5:49754 -> 197.211.59.104:6060

Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.263941042.00000000018C7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comttv
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: kashbilly.ddns.net

Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.263697343.000000000152B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.30a9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.3139658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: INFORMATION CONFIRMATION LIST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.30a9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.30a9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.2db3410.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.3139658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.3139658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.5f00000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.INFORMATION CONFIRMATION LIST.exe.30796ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 0_2_0311E6B0	0_2_0311E6B0
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 0_2_0311C284	0_2_0311C284
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 0_2_0311E6AB	0_2_0311E6AB
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 1_2_02B9E480	1_2_02B9E480
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 1_2_02B9E471	1_2_02B9E471
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 1_2_02B9BBD4	1_2_02B9BBD4
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 1_2_06640040	1_2_06640040
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 8_2_015CE6B0	8_2_015CE6B0
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 8_2_015CC284	8_2_015CC284
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 8_2_015CE6A2	8_2_015CE6A2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_02E2E6B0	13_2_02E2E6B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_02E2C284	13_2_02E2C284
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_02E2E6AA	13_2_02E2E6AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_02E24569	13_2_02E24569
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F30040	13_2_08F30040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F35B68	13_2_08F35B68
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F38180	13_2_08F38180
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F38170	13_2_08F38170
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F3A118	13_2_08F3A118
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F383E8	13_2_08F383E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F383DB	13_2_08F383DB

Source: INFORMATION CONFIRMATION LIST.exe	Binary or memory string: OriginalFilename vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.263697343.000000000152B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000000.240622186.0000000000EC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.269769736.00000000097C0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe	Binary or memory string: OriginalFilename vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000000.256258556.00000000007D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.527688505.0000000006600000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe	Binary or memory string: OriginalFilename vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.299630429.000000000138A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.306356765.00000000073F0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.298844131.0000000000C32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000012.00000000.288133600.00000000001A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000000.297862581.0000000000B72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.323191417.000000000125A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs INFORMATION CONFIRMATION LIST.exe
Source: INFORMATION CONFIRMATION LIST.exe	Binary or memory string: OriginalFilenameFoundDatePatte.exe: vs INFORMATION CONFIRMATION LIST.exe

Source: INFORMATION CONFIRMATION LIST.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: INFORMATION CONFIRMATION LIST.exe	Virustotal: Detection: 27%
Source: INFORMATION CONFIRMATION LIST.exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

File read: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Jump to behavior

Source: INFORMATION CONFIRMATION LIST.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe "C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe"
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe "C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe" 0
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INFORMATION CONFIRMATION LIST.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

File created: C:\Users\user\AppData\Local\Temp\tmp820C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/8@7/1

Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{51e297f7-7758-4d32-86af-0aafa20a3f56}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INFORMATION CONFIRMATION LIST.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: INFORMATION CONFIRMATION LIST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: INFORMATION CONFIRMATION LIST.exe, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.ec0000.0.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.1.dr, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.9.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.0.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.5.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.3.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.7d0000.1.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.11.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.7.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.2.unpack, Auto_Machine/AutoMachine.cs	.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: INFORMATION CONFIRMATION LIST.exe, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.2.INFORMATION CONFIRMATION LIST.exe.ec0000.0.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: dhcpmon.exe.1.dr, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.9.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.0.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.5.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.3.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.7d0000.1.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.11.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.7.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.7d0000.2.unpack, Auto_Machine/AutoMachine.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 0_2_00EC76EA push es; ret	0_2_00EC7F94
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 0_2_09683B4D push FFFFFF8Bh; iretd	0_2_09683B4F
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 0_2_09683A52 push dword ptr [ebx+ebp-75h]; iretd	0_2_09683A5D
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 1_2_007D76EA push es; ret	1_2_007D7F94
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 8_2_00C376EA push es; ret	8_2_00C37F94
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 8_2_071B3C0D push FFFFFF8Bh; iretd	8_2_071B3C0F
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Code function: 8_2_071B3B12 push dword ptr [ebx+ebp-75h]; iretd	8_2_071B3B1D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_00BE76EA push es; ret	13_2_00BE7F94
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_07213C0D push FFFFFF8Bh; iretd	13_2_07213C0F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_07213B12 push dword ptr [ebx+ebp-75h]; iretd	13_2_07213B1D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_08F3D9F8 push es; ret	13_2_08F3D9F9

Source: initial sample	Static PE information: section name: .text entropy: 7.66243187306
Source: initial sample	Static PE information: section name: .text entropy: 7.66243187306

Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

File opened: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 16.2.dhcpmon.exe.2911e34.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.308b954.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.3021e48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.32c1e84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.3051e84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.297b940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.30bba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.332ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 6016	Thread sleep time: -33320s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 4320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 4308	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 6032	Thread sleep time: -35080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 5712	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3560	Thread sleep time: -33874s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5780	Thread sleep time: -34374s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe TID: 6184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6444	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Window / User API: threadDelayed 4715	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Window / User API: threadDelayed 4754	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Window / User API: foregroundWindowGot 848	Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 33320	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 35080	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 33874	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 34374	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Memory written: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Memory written: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Process created: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522014006.0000000003300000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.519294102.0000000002DFD000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.521705733.000000000302F000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522036495.000000000330C000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522077860.000000000333A000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.527957291.0000000006B4D000.00000004.00000010.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.521868372.00000000031BC000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.520798752.0000000002EA7000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526501260.000000000604B000.00000004.00000010.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.522102865.000000000334A000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526663527.00000000062BD000.00000004.00000010.sdmp	Binary or memory string: Program Manager
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.516841599.00000000015F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.521705733.000000000302F000.00000004.00000001.sdmp, INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.520798752.0000000002EA7000.00000004.00000001.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: INFORMATION CONFIRMATION LIST.exe, 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dbb78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.4124bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.411b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.4094bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.4064bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.405b78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.41205c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.INFORMATION CONFIRMATION LIST.exe.40605c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.408b78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.dhcpmon.exe.40905c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.6164629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc05c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.INFORMATION CONFIRMATION LIST.exe.3dc4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3934348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4074348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3901728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42e4348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4044348.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.INFORMATION CONFIRMATION LIST.exe.4041728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INFORMATION CONFIRMATION LIST.exe.42b1728.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.4011728.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: INFORMATION CONFIRMATION LIST.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6280, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection112	Masquerading2	Input Capture21	Security Software Discovery21	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing23	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INFORMATION CONFIRMATION LIST.exe	28%	Virustotal		Browse
INFORMATION CONFIRMATION LIST.exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot
INFORMATION CONFIRMATION LIST.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	28%	Virustotal		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.dhcpmon.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.0.dhcpmon.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.0.dhcpmon.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.INFORMATION CONFIRMATION LIST.exe.6160000.7.unpack	100%	Avira	TR/NanoCore.fadte	Download File
27.0.dhcpmon.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.0.dhcpmon.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.dhcpmon.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.dhcpmon.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.INFORMATION CONFIRMATION LIST.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.0.INFORMATION CONFIRMATION LIST.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.0.INFORMATION CONFIRMATION LIST.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.0.dhcpmon.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.INFORMATION CONFIRMATION LIST.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.dhcpmon.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.0.INFORMATION CONFIRMATION LIST.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
1.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
24.0.dhcpmon.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.INFORMATION CONFIRMATION LIST.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comttv	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kashbilly.ddns.net	197.211.59.104	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.tiro.com	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comttv	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.263941042.00000000018C7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.fonts.com	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	INFORMATION CONFIRMATION LIST.exe, 00000000.00000002.267780920.0000000007422000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
197.211.59.104	kashbilly.ddns.net	Nigeria		37148	globacom-asNG	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	552379
Start date:	13.01.2022
Start time:	09:26:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	INFORMATION CONFIRMATION LIST.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@24/8@7/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 60.7% Quality standard deviation: 33.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 103 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:27:19	API Interceptor	893x Sleep call for process: INFORMATION CONFIRMATION LIST.exe modified
09:27:26	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
09:27:28	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe" s>$(Arg0)
09:27:32	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
09:27:37	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	501760
Entropy (8bit):	7.649885964608304
Encrypted:	false
SSDEEP:	12288:WoDPV+dqhMU9PqlAKDWFyMjK3HOiXThh:FDsdqhMSPqCyYqv
MD5:	6C6B35176645588B4B9A12B22B373ACB
SHA1:	4C6DA16811CB1F8C4877C34E517A4839D0D118E8
SHA-256:	2A599C2395394C8A00D1689E9CA6C2481062EBB70C02C905562E68D7087B875C
SHA-512:	9761AF17CDCFF220EA97D64EE4300BA0FC7F6CB043E9A2DDDBA9CAAA50953F6139299313505B467565AF169FD1E41DB04990C4D5222D349034F523F1D3460631
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 28%, Browse Antivirus: ReversingLabs, Detection: 33%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......@d...Z......0.......0............................................0..F........r...p.(....(....s......{.....rC..po....o......{.....rS..po....o........}.....(.......(.......}......{....(........0..T.........{.....}....(....o.......(.....(....Y.Y.(....o.......( ....(!...Y.Y....s"...(#....:..{.....}......&..($.....0..+.........,..{.......+....,...{....o%.......(&......0..H.........s'...}.....s(...}.....s'...}.....s'...}.....s)...}.....s...}.....{....o+.....(,.....{

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INFORMATION CONFIRMATION LIST.exe.log Download File
Process:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
MD5:	A9EFF9253CAF99EC8665E41D736DDAED
SHA1:	D95BB4ABC856D774DA4602A59DE252B4BF560530
SHA-256:	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
SHA-512:	96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
MD5:	A9EFF9253CAF99EC8665E41D736DDAED
SHA1:	D95BB4ABC856D774DA4602A59DE252B4BF560530
SHA-256:	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
SHA-512:	96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp820C.tmp Download File
Process:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.125318589632226
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PJ7xtn:cbk4oL600QydbQxIYODOLedq3SVj
MD5:	F2434F2DB8347B1BEA87A32E049BC791
SHA1:	F67766FBF90E2A08006DAD5938C7FD75A5DEC85E
SHA-256:	2D0AF243475F94BFB88409A06463575603EB6610A67DDFC03FD928B66E3EAAAF
SHA-512:	ADF101EC58935FFA47A348B7B0E088A49D4CA759AB77D555493A79CBE30BE973BBF400776F313420E135D978E054E26E5744286691502B7677504F89D67D0EEC
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp Download File
Process:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Cw:L
MD5:	ADC66397F14E88D6066BE489AD370EB7
SHA1:	13A51034E7FE646C71A13CCDAF1633DFFB1A11F8
SHA-256:	E0BAD6A8F28A278717B9D7050B5AA982675C076C6A93AE9A485E85AEFD11D890
SHA-512:	1AC3D2ED11C9FF3D0DE7A46E02C01483AE672292B09990A9DD373234BABD4C0155FA8DBDFBC3234A1760843198951C132705FE952CC0AA5144473FB319414791
Malicious:	true
Reputation:	unknown
Preview:	.......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.5984246110664895
Encrypted:	false
SSDEEP:	3:oNUWJRWsrdhyTWJ:oNNJAsr7yaJ
MD5:	7E562972A6FB64B037D0E7CD37E244F7
SHA1:	E2E22DEB1F7018D7B7F34605ED99190A204D6B9F
SHA-256:	65F6DF530F84EAF8D9E1D1AD3B8A1E4D80C07D6B2017E8558CD7A5D807C931A6
SHA-512:	6A35A38432ADA25F2EA7B8D467A802D8E95A2BDA18D95E518F65AA60D576EA3551A110CA0E64A4CAF4ECB45F53C86E2CA5A010F4C03A676798B963F7D9A1991A
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.649885964608304
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	INFORMATION CONFIRMATION LIST.exe
File size:	501760
MD5:	6c6b35176645588b4b9a12b22b373acb
SHA1:	4c6da16811cb1f8c4877c34e517a4839d0d118e8
SHA256:	2a599c2395394c8a00d1689e9ca6c2481062ebb70c02c905562e68d7087b875c
SHA512:	9761af17cdcff220ea97d64ee4300ba0fc7f6cb043e9a2dddba9caaa50953f6139299313505b467565af169fd1e41db04990c4d5222d349034f523f1d3460631
SSDEEP:	12288:WoDPV+dqhMU9PqlAKDWFyMjK3HOiXThh:FDsdqhMSPqCyYqv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47bd9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61DF8AF0 [Thu Jan 13 02:14:08 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc ecx
add byte ptr [edx+00h], al
push eax
add byte ptr [edx], ch
add byte ptr [23000000h], ch
add byte ptr [eax], al
add byte ptr [edi], cl
add byte ptr [eax], al
add byte ptr [00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7bd4c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x79dbc	0x79e00	False	0.856899038462	data	7.66243187306	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7c000	0x5e0	0x600	False	0.432942708333	data	4.15418868179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7c090	0x350	data
RT_MANIFEST	0x7c3f0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Tintai 2013
Assembly Version	1.1.0.0
InternalName	FoundDatePatte.exe
FileVersion	1.1.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Auto Machine
ProductVersion	1.1.0.0
FileDescription	Auto Machine
OriginalFilename	FoundDatePatte.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/22-09:27:34.566953	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54795	8.8.8.8	192.168.2.5
01/13/22-09:27:51.551288	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	61733	8.8.8.8	192.168.2.5
01/13/22-09:28:26.499132	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60151	8.8.8.8	192.168.2.5
01/13/22-09:29:21.787211	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54791	8.8.8.8	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 09:27:34.583456039 CET	49754	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:27:37.664482117 CET	49754	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:27:43.664977074 CET	49754	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:27:51.555352926 CET	49757	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:27:54.556715012 CET	49757	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:00.572623968 CET	49757	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:08.281095982 CET	49763	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:11.432997942 CET	49763	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:17.433387041 CET	49763	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:26.500771046 CET	49773	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:29.512567997 CET	49773	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:35.622417927 CET	49773	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:44.977493048 CET	49807	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:48.000818014 CET	49807	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:28:53.998943090 CET	49807	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:29:03.435981035 CET	49813	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:29:06.437463999 CET	49813	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:29:12.437952042 CET	49813	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:29:21.788089037 CET	49815	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:29:24.798358917 CET	49815	6060	192.168.2.5	197.211.59.104
Jan 13, 2022 09:29:30.798979998 CET	49815	6060	192.168.2.5	197.211.59.104

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 09:27:34.545644045 CET	54795	53	192.168.2.5	8.8.8.8
Jan 13, 2022 09:27:34.566952944 CET	53	54795	8.8.8.8	192.168.2.5
Jan 13, 2022 09:27:51.530292034 CET	61733	53	192.168.2.5	8.8.8.8
Jan 13, 2022 09:27:51.551287889 CET	53	61733	8.8.8.8	192.168.2.5
Jan 13, 2022 09:28:08.262094975 CET	59596	53	192.168.2.5	8.8.8.8
Jan 13, 2022 09:28:08.279342890 CET	53	59596	8.8.8.8	192.168.2.5
Jan 13, 2022 09:28:26.480551958 CET	60151	53	192.168.2.5	8.8.8.8
Jan 13, 2022 09:28:26.499131918 CET	53	60151	8.8.8.8	192.168.2.5
Jan 13, 2022 09:28:44.956362963 CET	54757	53	192.168.2.5	8.8.8.8
Jan 13, 2022 09:28:44.975611925 CET	53	54757	8.8.8.8	192.168.2.5
Jan 13, 2022 09:29:03.416762114 CET	64345	53	192.168.2.5	8.8.8.8
Jan 13, 2022 09:29:03.434125900 CET	53	64345	8.8.8.8	192.168.2.5
Jan 13, 2022 09:29:21.768193007 CET	54791	53	192.168.2.5	8.8.8.8
Jan 13, 2022 09:29:21.787210941 CET	53	54791	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2022 09:27:34.545644045 CET	192.168.2.5	8.8.8.8	0x9089	Standard query (0)	kashbilly.ddns.net	A (IP address)	IN (0x0001)
Jan 13, 2022 09:27:51.530292034 CET	192.168.2.5	8.8.8.8	0xd17c	Standard query (0)	kashbilly.ddns.net	A (IP address)	IN (0x0001)
Jan 13, 2022 09:28:08.262094975 CET	192.168.2.5	8.8.8.8	0x3010	Standard query (0)	kashbilly.ddns.net	A (IP address)	IN (0x0001)
Jan 13, 2022 09:28:26.480551958 CET	192.168.2.5	8.8.8.8	0xca66	Standard query (0)	kashbilly.ddns.net	A (IP address)	IN (0x0001)
Jan 13, 2022 09:28:44.956362963 CET	192.168.2.5	8.8.8.8	0x7d4f	Standard query (0)	kashbilly.ddns.net	A (IP address)	IN (0x0001)
Jan 13, 2022 09:29:03.416762114 CET	192.168.2.5	8.8.8.8	0x3d9f	Standard query (0)	kashbilly.ddns.net	A (IP address)	IN (0x0001)
Jan 13, 2022 09:29:21.768193007 CET	192.168.2.5	8.8.8.8	0x6e94	Standard query (0)	kashbilly.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 13, 2022 09:27:34.566952944 CET	8.8.8.8	192.168.2.5	0x9089	No error (0)	kashbilly.ddns.net	197.211.59.104	A (IP address)	IN (0x0001)
Jan 13, 2022 09:27:51.551287889 CET	8.8.8.8	192.168.2.5	0xd17c	No error (0)	kashbilly.ddns.net	197.211.59.104	A (IP address)	IN (0x0001)
Jan 13, 2022 09:28:08.279342890 CET	8.8.8.8	192.168.2.5	0x3010	No error (0)	kashbilly.ddns.net	197.211.59.104	A (IP address)	IN (0x0001)
Jan 13, 2022 09:28:26.499131918 CET	8.8.8.8	192.168.2.5	0xca66	No error (0)	kashbilly.ddns.net	197.211.59.104	A (IP address)	IN (0x0001)
Jan 13, 2022 09:28:44.975611925 CET	8.8.8.8	192.168.2.5	0x7d4f	No error (0)	kashbilly.ddns.net	197.211.59.104	A (IP address)	IN (0x0001)
Jan 13, 2022 09:29:03.434125900 CET	8.8.8.8	192.168.2.5	0x3d9f	No error (0)	kashbilly.ddns.net	197.211.59.104	A (IP address)	IN (0x0001)
Jan 13, 2022 09:29:21.787210941 CET	8.8.8.8	192.168.2.5	0x6e94	No error (0)	kashbilly.ddns.net	197.211.59.104	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 5944 Parent PID: 6020

General

Start time:	09:27:12
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe"
Imagebase:	0xec0000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.265183487.0000000004239000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.264212005.00000000032D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.264080160.0000000003231000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 5760 Parent PID: 5944

General

Start time:	09:27:20
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Imagebase:	0x7d0000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000000.261981801.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.526582144.0000000006160000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000000.259830236.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.512207738.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.518799524.0000000002D71000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000000.260204856.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.523536861.0000000003DAA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000000.261090435.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.524911015.0000000005F00000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4624 Parent PID: 5760

General

Start time:	09:27:26
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp820C.tmp
Imagebase:	0x1270000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4604 Parent PID: 4624

General

Start time:	09:27:27
Start date:	13/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 4532 Parent PID: 904

General

Start time:	09:27:28
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe" 0
Imagebase:	0x7ff797770000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.300404167.0000000003064000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.300307230.0000000002FC1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.300771610.0000000003FC9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4528 Parent PID: 5760

General

Start time:	09:27:29
Start date:	13/01/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8CCB.tmp
Imagebase:	0x1270000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4556 Parent PID: 4528

General

Start time:	09:27:31
Start date:	13/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 1400 Parent PID: 904

General

Start time:	09:27:32
Start date:	13/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0xbe0000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.310564174.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.311061484.0000000003F99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.310696295.0000000003034000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 28%, Virustotal, Browse Detection: 33%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 4404 Parent PID: 3472

General

Start time:	09:27:34
Start date:	13/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x2f0000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.324510699.0000000003889000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.323912695.0000000002924000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.323677605.0000000002881000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 5128 Parent PID: 4532

General

Start time:	09:27:34
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Imagebase:	0x1a0000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 4860 Parent PID: 4532

General

Start time:	09:27:36
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\INFORMATION CONFIRMATION LIST.exe
Imagebase:	0xb70000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.295280234.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.324466242.0000000004019000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.297703495.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.295881871.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.296607452.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.324314955.0000000003011000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.320716900.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 3000 Parent PID: 1400

General

Start time:	09:27:38
Start date:	13/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x210000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5344 Parent PID: 1400

General

Start time:	09:27:40
Start date:	13/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xce0000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000000.302302805.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.333703399.0000000004049000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.332200661.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000000.306212068.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.333597444.0000000003041000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000000.303465197.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000000.304879446.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6208 Parent PID: 4404

General

Start time:	09:27:41
Start date:	13/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x140000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6280 Parent PID: 4404

General

Start time:	09:27:43
Start date:	13/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xdc0000
File size:	501760 bytes
MD5 hash:	6C6B35176645588B4B9A12B22B373ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.312722643.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.309977599.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.342876940.00000000030D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.316433634.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.341874563.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.342977338.00000000040D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.310754452.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 5944 Parent PID: 6020 INFORMATION CONFIRMATION LIST.exeCOMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	7

Executed Functions

Function 0311E6B0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3647871ea6c82fe48c5176285910f63034c24107aa3c314115eea80a41c4ea13
Instruction ID: 0b959430989ced93add1d650771ca4028ca27047bf06a820279e7a1f3de54f59
Opcode Fuzzy Hash: 3647871ea6c82fe48c5176285910f63034c24107aa3c314115eea80a41c4ea13
Instruction Fuzzy Hash: 3C12D7F1431766CAD710DF65E98E1893FE1B745328F90E208E2612BAD1DFB8154AEF44

Uniqueness

Uniqueness Score: -1.00%

Function 0311E6AB, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350c78628d93a70534120927ca1ccf9b246fc84056dbd550df92ae387e23f33a
Instruction ID: f2793c11470e0a8d249fc6bf7c36b277d26bd2638db9e106263e678b075c5de5
Opcode Fuzzy Hash: 350c78628d93a70534120927ca1ccf9b246fc84056dbd550df92ae387e23f33a
Instruction Fuzzy Hash: 57C118F1431756CADB10DF65E88A1893FE1BB85328F50E309E2616B6D1DFB81486EF84

Uniqueness

Uniqueness Score: -1.00%

Function 0311FCE3, Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ba5e26334fe8ca24ff18456d57a5a756f3df5f13b7da7a0217011626ac7f7b
Instruction ID: 2308663f684299c13a190069e577efed6ca30e836b9942966bdbfd7193b86380
Opcode Fuzzy Hash: 44ba5e26334fe8ca24ff18456d57a5a756f3df5f13b7da7a0217011626ac7f7b
Instruction Fuzzy Hash: 14A17075C093899FCF02CFA5C854AC9FFB1FF4A304F1982AAE445AB262D3359856CB51

Uniqueness

Uniqueness Score: -1.00%

Function 031194E8, Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0311972E

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 95eef2dd8e63a99ae4357018bee7566c0bb03e7c80b22f0f3f26901734452459
Instruction ID: 770d834c4ed8a2320493893df5117e2ca0dc3c85facb741ca7bc66c545975c14
Opcode Fuzzy Hash: 95eef2dd8e63a99ae4357018bee7566c0bb03e7c80b22f0f3f26901734452459
Instruction Fuzzy Hash: D27153B0A00B058FD764CF6AC15479ABBF5BF88204F048A2ED49ADBA54DB34E855CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0311DD18, Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0311FF4A

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 52b3efdafc7bf0e3aabb46f982b3118ff111f078c236a5a4dd49f65ad6459aad
Instruction ID: 35789f59f5ec312745de36b3d3b1db702540b3ebdb0a4b0e357c48820b1b2593
Opcode Fuzzy Hash: 52b3efdafc7bf0e3aabb46f982b3118ff111f078c236a5a4dd49f65ad6459aad
Instruction Fuzzy Hash: A851E0B1C00309AFDB15CFA9C884ADEBBF5FF49314F25862AE419AB251D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0311DD34, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0311FF4A

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6e393879a66de4993f775d23f5a7523633521d1de5ee9c817d2fad3ecdc6c8b0
Instruction ID: 70156ff8320f4e9b878fbbe188fc1b9e211b7a503b15b5f5e1b3a769a283a374
Opcode Fuzzy Hash: 6e393879a66de4993f775d23f5a7523633521d1de5ee9c817d2fad3ecdc6c8b0
Instruction Fuzzy Hash: 7A51B0B1D003099FDB14CF99C984ADEBBF5BF88314F24862AE419AB210D7749855CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03115374, Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03115431

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6febd039f50e130c27fbae92339f803398f5713e457f79abf7e5e6e3134c7d1a
Instruction ID: 114170768e4a019d8ffac32f53f08979ea71467df5b978c06894f7c075c3f1cc
Opcode Fuzzy Hash: 6febd039f50e130c27fbae92339f803398f5713e457f79abf7e5e6e3134c7d1a
Instruction Fuzzy Hash: E24107B1C00729CFDB14CF9AC9447CEBBB6BF89308F248469D409AB251EB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03113E6C, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03115431

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d7ba9707c71e3e6772ecd64afc28499c187da4f182fa78c59b66619d3a0f1b02
Instruction ID: 0a23b1684cfbd9fb8ba055c56f4a9f0e635c9119720793a2531270c66e55d17e
Opcode Fuzzy Hash: d7ba9707c71e3e6772ecd64afc28499c187da4f182fa78c59b66619d3a0f1b02
Instruction Fuzzy Hash: 1F410570C00718CFDB24CF9AC9847CEBBB6BF89304F648469D409AB251DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0311BABB, Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0311B9BE,?,?,?,?,?), ref: 0311BA7F

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a0637a5aeab8f39bdd829dbd7f74e9a237461e84d273882d2f3d172028558408
Instruction ID: ea483be91c50cd46511d302efc4395c23dc7f4b2e04fdd2ff4a7b8c569d38d3f
Opcode Fuzzy Hash: a0637a5aeab8f39bdd829dbd7f74e9a237461e84d273882d2f3d172028558408
Instruction Fuzzy Hash: F931F574A64204DFEB04CF69F49A7A9BBB5E788752F10C02AF9059B381DF794811EF21

Uniqueness

Uniqueness Score: -1.00%

Function 0311A224, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0311B9BE,?,?,?,?,?), ref: 0311BA7F

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed02a966148d1f6510965a23eff7511f57c14d789cb073756bf351f590c9f7b1
Instruction ID: 15b4837f3667758c2164a4763dd30d466d5bf2912b5372757de403ec55d25d03
Opcode Fuzzy Hash: ed02a966148d1f6510965a23eff7511f57c14d789cb073756bf351f590c9f7b1
Instruction Fuzzy Hash: AC21E3B5900219EFDB10CF9AD584ADEBFF8EB48324F14842AE914A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0311B9F0, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0311B9BE,?,?,?,?,?), ref: 0311BA7F

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9256e0258d91bd4dcc8c3e0e03ec8b5a90e2585fcd1ed83c8c3b94a99f3bccfa
Instruction ID: a235b10a866a055f23706fac7cdb02251c06cfe1ace05f1ab36a875b4bc982cb
Opcode Fuzzy Hash: 9256e0258d91bd4dcc8c3e0e03ec8b5a90e2585fcd1ed83c8c3b94a99f3bccfa
Instruction Fuzzy Hash: 7621E5B5D00209AFDB10CFA9D584ADEBFF8EB48324F14846AE914A3310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03118818, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031197A9,00000800,00000000,00000000), ref: 031199BA

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 068acb4ef95cf7138fbf2f8aa499e1f7644f3b58d126843993eed96edb16a92f
Instruction ID: fb4cc4bdfa8a9114849d75339a9956c9c2ea7b6edebf087f4d6bd408ec6a604c
Opcode Fuzzy Hash: 068acb4ef95cf7138fbf2f8aa499e1f7644f3b58d126843993eed96edb16a92f
Instruction Fuzzy Hash: 051103B69002099FDB10CF9AC588BDEFBF4AB88324F14842AE525B7610D374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0311994B, Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031197A9,00000800,00000000,00000000), ref: 031199BA

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7bb74bf72c6eb0004ef76854bcc09f544152a75e27be85d89df16b286f945b53
Instruction ID: bf0247665212e567782a979a980c660346f8f747e0bbf25eb687980ad114b399
Opcode Fuzzy Hash: 7bb74bf72c6eb0004ef76854bcc09f544152a75e27be85d89df16b286f945b53
Instruction Fuzzy Hash: B01114B2C002099FDB10CF9AC584BDEFBF8AB88324F14842AD425B7610C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 031196C8, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0311972E

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: acbf51323d5bf2d622028806a70f659c486b8d1399a682ea5744b84d7eb30e96
Instruction ID: 1f15ead3cb26dc5bb98b59f9b89b8e23517685bf28e787f313e88ae3aa4e1037
Opcode Fuzzy Hash: acbf51323d5bf2d622028806a70f659c486b8d1399a682ea5744b84d7eb30e96
Instruction Fuzzy Hash: 231110B6C002098FDB10CF9AC448BDEFBF4AF88324F14842AD829B7610C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 096812F9, Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0968135D

Memory Dump Source

Source File: 00000000.00000002.269668825.0000000009680000.00000040.00000001.sdmp, Offset: 09680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9680000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a3b83c8135e95db89a8dfc005bde53c04c47710e26ca49dbb46077ee0e944795
Instruction ID: 0263951321f64e06dbc0cc62639b79f4091414226275d4d8bcec1f725a071cf3
Opcode Fuzzy Hash: a3b83c8135e95db89a8dfc005bde53c04c47710e26ca49dbb46077ee0e944795
Instruction Fuzzy Hash: BF11F5B58002089FDB10DF99D489BDFBBF8EB49324F14851AE554A7610C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 09681300, Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0968135D

Memory Dump Source

Source File: 00000000.00000002.269668825.0000000009680000.00000040.00000001.sdmp, Offset: 09680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9680000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c3e778d14f01e0dc622c305d3e188187a0d9e544cb37a54b1956f8be42254945
Instruction ID: 8c30fe7a6d8c1413153e6b0338221a406f888d19906a2d1163b0118c5713e7db
Opcode Fuzzy Hash: c3e778d14f01e0dc622c305d3e188187a0d9e544cb37a54b1956f8be42254945
Instruction Fuzzy Hash: A91115B5800308DFDB10DF99C488BDFBBF8EB48324F14851AE554A3600C374A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014FD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263610498.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8588b82b72683297204e4793755c73d784f2c2a4b9fc9b2ef96eb8cad5221e
Instruction ID: dd2197e0900a3da5b8c9d6ba47e6a983c31704a8d4f5c316ea2834b449d25749
Opcode Fuzzy Hash: 2d8588b82b72683297204e4793755c73d784f2c2a4b9fc9b2ef96eb8cad5221e
Instruction Fuzzy Hash: 492106B1900244DFDB05DF94D9C4B67BF65FB88318F24896ED9050B366C336D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014FD3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263610498.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e9ac3a3790651da00733cb07f983236c639fb6645b409be5ab0870de9227a5
Instruction ID: 651ac205d0e78b2e8a762a0e3a14868a09506b21725f5e076f10170329d3e2f6
Opcode Fuzzy Hash: 66e9ac3a3790651da00733cb07f983236c639fb6645b409be5ab0870de9227a5
Instruction Fuzzy Hash: 6421F4B1900204DFDB05CF94D9C4B96BB65FB84324F24857EDA050B326C336E846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263629273.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7315b78c5d35c2b29d79f5e6c7f085f52a98ecf749c3805e2ea97edd3aeaed68
Instruction ID: 781e6bb60144843c0dc01695cdaf6f7bb9ea70874ad03e3600c9da44aff568e5
Opcode Fuzzy Hash: 7315b78c5d35c2b29d79f5e6c7f085f52a98ecf749c3805e2ea97edd3aeaed68
Instruction Fuzzy Hash: 5621F571904305EFDB02DFD4D5C4B2ABBB5FB84324F24C969E8094F286C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0150D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263629273.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7966ebbe48951310de9d96a739ebe9a23a2d9eaeb9e3b73b12c833586aed92fa
Instruction ID: 1a619f5598a1cd4c9da8eb72049bdfc29dc7dd9d91187f317c8ca31208d4540d
Opcode Fuzzy Hash: 7966ebbe48951310de9d96a739ebe9a23a2d9eaeb9e3b73b12c833586aed92fa
Instruction Fuzzy Hash: 872100B1604204EFDB12CFD4D9D4B2ABBB5FB84364F24C969D80D4F286D33AD806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0150D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263629273.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bd34f8086c6c0d49b8b288acaab7c6944a7d6bb80afe722e622052681bf721
Instruction ID: ba7b3f565970d2bbf7ac4835a3bbca10607661606c4306296c49369c092d720d
Opcode Fuzzy Hash: a4bd34f8086c6c0d49b8b288acaab7c6944a7d6bb80afe722e622052681bf721
Instruction Fuzzy Hash: 7D2192755093808FDB03CFA4D990B15BF71FB46214F28C5DAD8498F697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 014FD3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263610498.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction ID: cb7f4e22a7e316ba98cd23f945065c9bae885d5b1c55a75446e5ce054d65dbf4
Opcode Fuzzy Hash: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction Fuzzy Hash: 0D11A276804240DFDB12CF54D5C4B56BF71FB84324F2486AED9050B766C33AD456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014FD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263610498.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction ID: 2913d89dcc19cbacf7caee6f2c1081e217d0ae6e4e444e4b585a4688d4741f04
Opcode Fuzzy Hash: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction Fuzzy Hash: 4311AF76804280CFDB12CF54D9C4B16BF71FB84324F2486AED9450B766C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0150D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263629273.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction ID: f90e82577e5ad9b27ba90d6c363332f2705cc9305dcf672f70ad5b0aa093d6dc
Opcode Fuzzy Hash: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction Fuzzy Hash: 1B118B75904280DFDB12CF98D5C4B19BBB1FB84224F28C6A9D8494F696C33AD45ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 014FD651, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263610498.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b042a9abad52353aca1fd827505fe29f25a96d7ad264cd231b6c3f02683eaa
Instruction ID: dba5174f1c45f0556c42f1fa17a7b1b430ba8047206a416840fee1d362b83e0c
Opcode Fuzzy Hash: 43b042a9abad52353aca1fd827505fe29f25a96d7ad264cd231b6c3f02683eaa
Instruction Fuzzy Hash: D001F7718043449AF7109E99CD847A3BFDCEF40674F18881FEE0C5A362D7789844CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 014FD650, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.263610498.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14fd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76c3b304501607a98b256267344e99f31abf44029c585150df4560c87d44153
Instruction ID: ae457d99914541450877a84a89ee3808509405bc1f42ea529f1b3686dc9d75b3
Opcode Fuzzy Hash: d76c3b304501607a98b256267344e99f31abf44029c585150df4560c87d44153
Instruction Fuzzy Hash: C1F04F71804244AAF7118A59C984B63FF98EF41674F18855AEE085F792D278A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0311C284, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.264031877.0000000003110000.00000040.00000001.sdmp, Offset: 03110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3110000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6629ec23cf7e70e66de6527325b500bc132e8cf122ec37f24c4fd7ae23aba14
Instruction ID: aeaf3ff439926c3594e3eeb2b38f2e646f01ab2f2f348a2aabb211c3bdbcbb88
Opcode Fuzzy Hash: f6629ec23cf7e70e66de6527325b500bc132e8cf122ec37f24c4fd7ae23aba14
Instruction Fuzzy Hash: ADA16036E10219CFCF05DFA5D8845EEBBF2FF89300B1581BAE405AB261DB31A955CB80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 5760 Parent PID: 5944 INFORMATION CONFIRMATION LIST.exeCOMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	137
Total number of Limit Nodes:	7

Executed Functions

Function 02B9B6C0, Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B9B730
GetCurrentThread.KERNEL32 ref: 02B9B76D
GetCurrentProcess.KERNEL32 ref: 02B9B7AA
GetCurrentThreadId.KERNEL32 ref: 02B9B803

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bb8bbf3ee78a203df350efeae28d100755352cbd9b3b257f7a9f54c52372d4fd
Instruction ID: 7a360ea8202cc692876a4c8cdf37e698b56294a582950a29c4a1c470c1a7ae91
Opcode Fuzzy Hash: bb8bbf3ee78a203df350efeae28d100755352cbd9b3b257f7a9f54c52372d4fd
Instruction Fuzzy Hash: 275165B0D00348CFDB04CFA9D688BDEBBF0AF49308F2485AAE419A72A0D7345945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02B9B6D0, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B9B730
GetCurrentThread.KERNEL32 ref: 02B9B76D
GetCurrentProcess.KERNEL32 ref: 02B9B7AA
GetCurrentThreadId.KERNEL32 ref: 02B9B803

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 72d8d7500a6fdead3edbab9bb390b5dc1123087f60f6749fb1362431fd4d9e4a
Instruction ID: 0c901a7caa26ea03fcc8a3fa3f41734b7dcd32cff1c0c43c6e96c923f0d6a417
Opcode Fuzzy Hash: 72d8d7500a6fdead3edbab9bb390b5dc1123087f60f6749fb1362431fd4d9e4a
Instruction Fuzzy Hash: 7A5143B0D00648CFDB14CFA9D688BDEBBF1AF88318F2085A9E419A7360D7755844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02B9FAA0, Relevance: 1.8, APIs: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B9FD0A

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f3b665daa90edd2ab71750b7cc978d4cf48e56aee10ac19cf748412a027ff567
Instruction ID: 1c618aafeab2322e7f852f99703a79dde3b4f9b93a33996e533a2ef5c533b212
Opcode Fuzzy Hash: f3b665daa90edd2ab71750b7cc978d4cf48e56aee10ac19cf748412a027ff567
Instruction Fuzzy Hash: D0913D718093899FDF02CFB8C8919D9BFB1AF4B314F5981EAE8849B162C7345859CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06643558, Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.527840562.0000000006640000.00000040.00000001.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2748652841213ead9aebac23bdb60c8f9ce89db4fe9ebe9c27017dfb9f1c549
Instruction ID: 5b65f25b771de19cee37fb1a96fe7733dea978b40e72a80774db263d72a2d7cc
Opcode Fuzzy Hash: b2748652841213ead9aebac23bdb60c8f9ce89db4fe9ebe9c27017dfb9f1c549
Instruction Fuzzy Hash: 768166B1D04219CFDB54EFAAC9846DEBBB5BF48304F20852AD415BB350DB70A94ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B993E8, Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B9962E

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f9fabd53d5b4f28fc7bbc59eab93fbc88c1b1795f5485683eb36ffe18151b8a8
Instruction ID: 9e3889680746e7914b19be75177a37a53eb12f94d16adc8573a366dbfcc33584
Opcode Fuzzy Hash: f9fabd53d5b4f28fc7bbc59eab93fbc88c1b1795f5485683eb36ffe18151b8a8
Instruction Fuzzy Hash: 1B711070A00B058FDB64CF6AC0457AABBF5FB89214F048A6ED48AD7A50DB35E8458F91

Uniqueness

Uniqueness Score: -1.00%

Function 06641909, Relevance: 1.6, APIs: 1, Instructions: 145
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06643738

Memory Dump Source

Source File: 00000001.00000002.527840562.0000000006640000.00000040.00000001.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: f8f41c50c78c5c02ecb7055e7368b7040ab3418205df8254b23d2817cfcf06f0
Instruction ID: 5e568b09984719b10a8a29e0184b909a9d42b7ef9b2d5830143c90f8269fff21
Opcode Fuzzy Hash: f8f41c50c78c5c02ecb7055e7368b7040ab3418205df8254b23d2817cfcf06f0
Instruction Fuzzy Hash: 385123B0D042199FDB54DFAAC8846DDBBB5BF48314F24852AE815BB350DBB4A846CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06643604, Relevance: 1.6, APIs: 1, Instructions: 141
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06643738

Memory Dump Source

Source File: 00000001.00000002.527840562.0000000006640000.00000040.00000001.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: b7fc95f32880f1de8189b1d72e0c36ab84f340e553ccf45492dc6059d70918fc
Instruction ID: ca9545dcf02a81c059026006806a2d32bf90c6ca65d8f18996f08258eff1a698
Opcode Fuzzy Hash: b7fc95f32880f1de8189b1d72e0c36ab84f340e553ccf45492dc6059d70918fc
Instruction Fuzzy Hash: 115122B1D04219CFDB54DFAAC9846DEBBB5BF48304F24852AE815BB350DB70A846CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06641914, Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06643738

Memory Dump Source

Source File: 00000001.00000002.527840562.0000000006640000.00000040.00000001.sdmp, Offset: 06640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6640000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 8086761d2d84ce7a2ae2b2af75169f5f00e074e37ae38e8668815fb27af2c81e
Instruction ID: 67c0ba83ea88dfcc8048ca022ebe44f669517df1e4dd3ad84f0cc0d8f5d16790
Opcode Fuzzy Hash: 8086761d2d84ce7a2ae2b2af75169f5f00e074e37ae38e8668815fb27af2c81e
Instruction Fuzzy Hash: DF5112B0D042199FDB54DFAAC8846DEBBB5BF48304F24842AE815BB350DB74A846CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02B9FBF8, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B9FD0A

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b922c567c636e796dbb271475a66c653cbd7901685859fc52b21f6817ad87dcf
Instruction ID: e3a95602a6bed69dfd01a72850c15bc5e97aec7b4eae0915c67c9bd85ff96b1b
Opcode Fuzzy Hash: b922c567c636e796dbb271475a66c653cbd7901685859fc52b21f6817ad87dcf
Instruction Fuzzy Hash: EF41CEB1D00309AFDF14CF99C984ADEBBB5FF88354F24816AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B9BCF9, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B9BD87

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bbfe8463b54e1bd479bffcb8e573b07428f7dae61db7a93e5ecd99f9e79b0222
Instruction ID: fe971c9835e6a3e57dfd983bc37e4a6fb9aed279543e500609fd36d25054b0cf
Opcode Fuzzy Hash: bbfe8463b54e1bd479bffcb8e573b07428f7dae61db7a93e5ecd99f9e79b0222
Instruction Fuzzy Hash: 7C2105B5D00208DFDB00CFA9D984ADEBBF8EF49324F14845AE914A3210D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B9BD00, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B9BD87

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0fa293da402240749f23603acc251b21da7a1393693c25b64f00161484248cf4
Instruction ID: c23199bcea23a08cad0a70020d0200562d952da58ecefb1afd7b0a270995d665
Opcode Fuzzy Hash: 0fa293da402240749f23603acc251b21da7a1393693c25b64f00161484248cf4
Instruction Fuzzy Hash: EF21E3B5D002189FDB10CF99D984ADEBBF8EB48324F14846AE914A3250D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B99849, Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B996A9,00000800,00000000,00000000), ref: 02B998BA

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1536f89cf0646cc21d2c9412096862239b637f971d51bea819644e0789abc907
Instruction ID: f2d1bd932aceca237ac3c6e2f377bf3bc7b53824c69ee56aa7163ffb17051d12
Opcode Fuzzy Hash: 1536f89cf0646cc21d2c9412096862239b637f971d51bea819644e0789abc907
Instruction Fuzzy Hash: 312133B2D00249DFDB10CFAAD488ADEFBF4EB89354F14846ED425A7600C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B98768, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B996A9,00000800,00000000,00000000), ref: 02B998BA

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bb3cffb715bd55a8394b8b187232895f5156e795e9e9d1a1475972a438560e96
Instruction ID: 9cf7bfb077f0660dc2576a878c768a7d96ad224e83441115fcae9514e419602d
Opcode Fuzzy Hash: bb3cffb715bd55a8394b8b187232895f5156e795e9e9d1a1475972a438560e96
Instruction Fuzzy Hash: 751133B2D002098FDB10CF9AC488BDEFBF4EB88354F14846EE415A7200C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B9FE38, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B9FE9D

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8ee7c2c1f2a6da7a701b42536373c3a73f0c644445697a92fa6564c6c890eef6
Instruction ID: 5abf6afa3a29fd2cd14d025d5e84c9d6f9f63096035b756e5eeaaa265b68692b
Opcode Fuzzy Hash: 8ee7c2c1f2a6da7a701b42536373c3a73f0c644445697a92fa6564c6c890eef6
Instruction Fuzzy Hash: A51155B1D00648CFDB10CF99D585BEEBBF8EB88324F24845AD854B3641C374A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B995C8, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B9962E

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e0251b98903fb1b5d7bfc67582879254a14269483aaef2bb76ee26f7c9da42ee
Instruction ID: 57775e2afb8d790c07d68498a8af6c727368bc14fef70887d6044580438e14eb
Opcode Fuzzy Hash: e0251b98903fb1b5d7bfc67582879254a14269483aaef2bb76ee26f7c9da42ee
Instruction Fuzzy Hash: A81122B2C006498FDB10CF9AC444BDEFBF4EF88328F14846AD829A7210C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B9FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B9FE9D

Memory Dump Source

Source File: 00000001.00000002.518063446.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b90000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 248614d656e353dcc6226044266f3163a04d26f9ff02dd00f0dc8b5ca0aad37e
Instruction ID: 958b55f555d72ed5c356cede0aa7e9876846c184ff68f870a74fe416a53f5eb4
Opcode Fuzzy Hash: 248614d656e353dcc6226044266f3163a04d26f9ff02dd00f0dc8b5ca0aad37e
Instruction Fuzzy Hash: 401115B5C006089FDB10CF99D589BDFBBF8EB48324F10845AD818A3741C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EFD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515650266.0000000000EFD000.00000040.00000001.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_efd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cfbff15d37033b86a9c24ac10b27f74bbc878d7c6eda33787f307c2a36f5ef
Instruction ID: e201057ecacc586edffebb0b2f002a9c438ed12dae7a979f13e5af3162bff016
Opcode Fuzzy Hash: 65cfbff15d37033b86a9c24ac10b27f74bbc878d7c6eda33787f307c2a36f5ef
Instruction Fuzzy Hash: 0E2128B1508248DFDB01DF54DDC0B76BF66FB94328F24C569DA091B256C336D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515752321.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f0d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20eda83b2ced2434c9fc8934b448a8bec53321fc773f04551484a3cfa904c5d4
Instruction ID: d88bc5adadc1cbe188dce271c72bb9661b48c219d5980dfab29cf2059e53af3d
Opcode Fuzzy Hash: 20eda83b2ced2434c9fc8934b448a8bec53321fc773f04551484a3cfa904c5d4
Instruction Fuzzy Hash: 6F21F571A04244DFDB14CF94D9C4B16BB65FB84324F24C969D84D4B28AC336D847EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00F0D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515752321.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f0d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e9fb2fca49ccc5d0715b678e87bd757b358525b55dfcb69bfc26376932e2fd
Instruction ID: 3ee7d626d71c03a7b820a6a9e3852cb55c5eb01dcbb5414c6b4a0f6503c68394
Opcode Fuzzy Hash: d5e9fb2fca49ccc5d0715b678e87bd757b358525b55dfcb69bfc26376932e2fd
Instruction Fuzzy Hash: 312180755093C08FDB02CF24D990715BF71EB46324F28C5EAD8498B697C33A980ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EFD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515650266.0000000000EFD000.00000040.00000001.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_efd000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction ID: 7c37be359ad1214b2d3017d9bcd68c27fc56c03329aaf958451647f844f0cd23
Opcode Fuzzy Hash: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction Fuzzy Hash: C811E976804244CFDF12CF14D9C4B26BF72FB84328F24C5A9D9051B656C336D856CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: INFORMATION CONFIRMATION LIST.exe PID: 4532 Parent PID: 904 INFORMATION CONFIRMATION LIST.exeCOMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	108
Total number of Limit Nodes:	9

Executed Functions

Function 015C94E8, Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015C972E

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 21d0a8b1469e3f6442c570909f826870af96c1338f56e086c4fdae6dc1ec2ddf
Instruction ID: 173509f68ba6d40985e6f6bc66127f0d880e51cb58c8a78e851bb07fe973ba18
Opcode Fuzzy Hash: 21d0a8b1469e3f6442c570909f826870af96c1338f56e086c4fdae6dc1ec2ddf
Instruction Fuzzy Hash: DC7104B0A00B058FDB24DFA9D14479ABBF5BF88708F10892DD48ADBA50DB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015CDD34, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015CFF4A

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 447f0878b9339ab2acd8bed035528cb2dd6a2edd97ca0e6ad38376d62813cf0a
Instruction ID: 8454055e4e57f663b8a63f426a8020eb81cd007daedee2aa3e5c0fb045a2b60b
Opcode Fuzzy Hash: 447f0878b9339ab2acd8bed035528cb2dd6a2edd97ca0e6ad38376d62813cf0a
Instruction Fuzzy Hash: 5851CFB1D003099FDB14CF99C884ADEBBB6FF48714F24852AE819AB250D7B09845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015CFE2E, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015CFF4A

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2d59224b56ec642f07af034c6207321ee7d90bce406fff3a3dfd498a6abb80d3
Instruction ID: 3d9e77e7647ec22e6c83a316f31363e22063146fe472d24da2cd19da729d9ef7
Opcode Fuzzy Hash: 2d59224b56ec642f07af034c6207321ee7d90bce406fff3a3dfd498a6abb80d3
Instruction Fuzzy Hash: D751DEB1D003099FDB14CFD9C984ADEBBB6FF48714F24862AE819AB250D7B49845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015C5374, Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015C5431

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7f9a0976404449191f15c905f1005f6653d22cbe5595af75d494e9c1399fca08
Instruction ID: 5c53b357e1020a4190f20e990cbbc56e810b19a536fa1ac4e15806a412bc96fd
Opcode Fuzzy Hash: 7f9a0976404449191f15c905f1005f6653d22cbe5595af75d494e9c1399fca08
Instruction Fuzzy Hash: 3541F1B1D00619CFDB64CFE9C9847DDBBB5BF49304F20846AD408AB251DBB1694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 015C3E6C, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015C5431

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6e764906d4df8d547c1cfed8531a2f4da1a7daaf199e50baade1d6cc215794b1
Instruction ID: 6900b06945ddd781397de962780946052ad5c642d26acfe446ae5c4721e5b68d
Opcode Fuzzy Hash: 6e764906d4df8d547c1cfed8531a2f4da1a7daaf199e50baade1d6cc215794b1
Instruction Fuzzy Hash: 8241E070D00618CFDB64DFEAC9847DEBBB9BF48704F20846AD409AB251EBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015CA224, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015CB9BE,?,?,?,?,?), ref: 015CBA7F

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed3b49032dc152fd3d6d32a4afc07fcac05b6afcb19a21114746089125a68dcb
Instruction ID: e2ecd562b8bf158e13e42c3995635554ad18f911b78300d8e26a3f8e2c149898
Opcode Fuzzy Hash: ed3b49032dc152fd3d6d32a4afc07fcac05b6afcb19a21114746089125a68dcb
Instruction Fuzzy Hash: AF2114B5D00209EFDB10CF9AD984AEEBBF8FB48320F14841AE914A7310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015CB9F0, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015CB9BE,?,?,?,?,?), ref: 015CBA7F

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5a5846cc4b623f72cf410a18afb550bcecb04d4c55e3a8f45708043f95154145
Instruction ID: a1ebdb908c8bbc980966ec28f12e0f56807ef853fd67ff5f2b4faf4415e42e78
Opcode Fuzzy Hash: 5a5846cc4b623f72cf410a18afb550bcecb04d4c55e3a8f45708043f95154145
Instruction Fuzzy Hash: 5921E3B5D00209DFDB00CFA9D985ADEBBF8FB48324F14841AE954A7350D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015C8818, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015C97A9,00000800,00000000,00000000), ref: 015C99BA

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b4a5c52280d1a4c8f8f3cdbb37ce37df41b0e0f04e16119b5ed2169aded70898
Instruction ID: 616325026f93781a2084edb632d66ccc4ffb6b17d92d6ff2b297cb7ef31c107e
Opcode Fuzzy Hash: b4a5c52280d1a4c8f8f3cdbb37ce37df41b0e0f04e16119b5ed2169aded70898
Instruction Fuzzy Hash: ED1106B6900209DFDB10CF9AC444ADEBBF8FB48714F14842ED915A7610D3B4A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015C994A, Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015C97A9,00000800,00000000,00000000), ref: 015C99BA

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 663405749b33e30320a6e4e3d76f207e0cb188dfafd24daffa0af07eb1eb51de
Instruction ID: 38279377740822be6f758496d928e7e3c975c0bdb70f13d86e29bad16313fafc
Opcode Fuzzy Hash: 663405749b33e30320a6e4e3d76f207e0cb188dfafd24daffa0af07eb1eb51de
Instruction Fuzzy Hash: FC1114B6C0020ACFDB10CF9AD544BDEBBF4BB48714F14841ED859A7610D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071B13B0, Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 071B1415

Memory Dump Source

Source File: 00000008.00000002.306094006.00000000071B0000.00000040.00000001.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_71b0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0c3c980ec6bd5f55c83cf450234faadc54e8c1cb3d984843a3d60f9183f5391c
Instruction ID: e93f4c3c4870edaac8e4348a1fc90d1be6b15c93e1b2c2d8a26d30185c4499f8
Opcode Fuzzy Hash: 0c3c980ec6bd5f55c83cf450234faadc54e8c1cb3d984843a3d60f9183f5391c
Instruction Fuzzy Hash: 711125B58002489FDB10CF99D885BEEBFF8EB48324F10851AE955A7650D3B46544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015C96C8, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 015C972E

Memory Dump Source

Source File: 00000008.00000002.299981345.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15c0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0f787390861b0a5b3cfe637d17969a240a91f9df5e3b2b734f9afa21437c787e
Instruction ID: 399985d75d61157260812db6726b82955d5daa98058fd2abf975c80f33010e83
Opcode Fuzzy Hash: 0f787390861b0a5b3cfe637d17969a240a91f9df5e3b2b734f9afa21437c787e
Instruction Fuzzy Hash: 9C110FB5C006098FDB10CF9AC448ADEFBF8FB89728F14842AD819A7210D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 071B13B8, Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 071B1415

Memory Dump Source

Source File: 00000008.00000002.306094006.00000000071B0000.00000040.00000001.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_71b0000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c84d85059537299c92464a08d33aa51a32f28add861d5a563bf42a5f46602598
Instruction ID: 317b0dd57a85edd8cb948fc8e3898d1fb24cc2984f4e135590d5adc8dd94dd64
Opcode Fuzzy Hash: c84d85059537299c92464a08d33aa51a32f28add861d5a563bf42a5f46602598
Instruction Fuzzy Hash: 5A1115B58003499FDB10CF9AC584BDEBFF8FB48324F10841AE914A7240D3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0117D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299431618.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_117d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3829207a2673e728b78f4cdbf46a5346f35ce743449df9117655a98f256c3335
Instruction ID: 37251c1a2f691fcad45aa1298b51f3ac145786fe494c289ff8db20a02fd4b82f
Opcode Fuzzy Hash: 3829207a2673e728b78f4cdbf46a5346f35ce743449df9117655a98f256c3335
Instruction Fuzzy Hash: 6321F4B2504208DFDF09CF94E9C4B96BB75FF84324F248569D8060B706C336E846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299431618.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_117d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34905d9fb9ae5c87807d6a81fca3dad6e81ba8ce99c1bd7c329739f66ea6cfe7
Instruction ID: 10fb620382702dbf78b35157eaaadb659509d94df48ceeddbcf85be1790f5369
Opcode Fuzzy Hash: 34905d9fb9ae5c87807d6a81fca3dad6e81ba8ce99c1bd7c329739f66ea6cfe7
Instruction Fuzzy Hash: 2321F1B1500248DFDF09DF94E9C4B66BF75FF88328F248969E8051A306C336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299480940.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_118d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199f16b90308777f60c3c5009d4c74dc6ce70a432005362d7e20b4b5a08487a2
Instruction ID: ce437b25c6e8bd10e27969259e19db8923f98e8d56ee1722f5ffbc5427ae375c
Opcode Fuzzy Hash: 199f16b90308777f60c3c5009d4c74dc6ce70a432005362d7e20b4b5a08487a2
Instruction Fuzzy Hash: 36210071504304EFDF19EF94E9C4B26BB65EB84264F24C969D8094B286C336D807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0118D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299480940.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_118d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8fd73932d9a6cf3eca11932a21fd24cffcd135243903d869c4d577eb580452
Instruction ID: ad7dc797e79f6e9c95274842e99e094a129e25ed79d65b6b7b1e7afd2e222815
Opcode Fuzzy Hash: 6e8fd73932d9a6cf3eca11932a21fd24cffcd135243903d869c4d577eb580452
Instruction Fuzzy Hash: 1621F571904304EFDF09EF94E5C4B26BB66FB84324F24C969E8094B282C336D846CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0117D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299431618.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_117d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction ID: c626a01db1f5074dcfc5ca5002d7eba44159f75a6cdf8f5e7f31882bb2025abb
Opcode Fuzzy Hash: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction Fuzzy Hash: B2119D76404284DFDF16CF54E5C4B56BF71FB84224F2486A9D8090AB56C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299431618.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_117d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction ID: 3c22666f41012f6e39487f0d26588065cb7c0f96ff2d9c39670e56d5280c9a65
Opcode Fuzzy Hash: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction Fuzzy Hash: 92119A76804284CFDF16CF54E9C4B16BF71FB88324F2886A9D8450B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0118D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299480940.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_118d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction ID: ecd785826ee4aac0d4352a63cfc4785c7afb56b1175616e36b56efc7f0a0fec4
Opcode Fuzzy Hash: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction Fuzzy Hash: 0311BB75904280DFDF06DF54E5C0B15BBB2FB84324F28C6A9D8494B696C33AD44ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 0118D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299480940.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_118d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction ID: d9153dd346e2b76bc4360b816735afb94f4bd44554c8ad5f630977d0b9251f08
Opcode Fuzzy Hash: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction Fuzzy Hash: 2311BB75504380CFDB16DF54E5C4B15BBA1FB84324F28C6AAD8494B696C33AD44BCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D651, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299431618.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_117d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7e157a4453d1637585f0c5629802e419b900f3cc60c2c4633774ccc462f2a7
Instruction ID: b502ea62002fc5dfe91883605a556a2cf81fad526255dc0a883b8bb24aeab5fe
Opcode Fuzzy Hash: ec7e157a4453d1637585f0c5629802e419b900f3cc60c2c4633774ccc462f2a7
Instruction Fuzzy Hash: 6301FC714043489AEB149E95DD847A7BFECEF40234F188419FD4C1E342D3789844C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D650, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.299431618.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_117d000_INFORMATION CONFIRMATION LIST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa1542d8d639c537b5732d090a1a068c1c607c4e24e591706dcc80d09aff1e8
Instruction ID: 7527e9767290a9879f78a072359544dfcb22bc068d658b96aed8a2c465ce59a1
Opcode Fuzzy Hash: 0aa1542d8d639c537b5732d090a1a068c1c607c4e24e591706dcc80d09aff1e8
Instruction Fuzzy Hash: 96F062B14042489EFB158A59DD84B62FFACEF41774F18C55AFD485F382D3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 1400 Parent PID: 904 dhcpmon.exeCOMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	210
Total number of Limit Nodes:	13

Executed Functions

Function 08F3F747, Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F3F986

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ce677b5b25d740078db42e0a9e88e5ecd4ff01c93121de38fa9a89659e92176d
Instruction ID: c1274597e759ad72f2933ce99c5a31680d5651d4b5e308773e14d0246ea55ec4
Opcode Fuzzy Hash: ce677b5b25d740078db42e0a9e88e5ecd4ff01c93121de38fa9a89659e92176d
Instruction Fuzzy Hash: B3914971D00229DFDF14CFA8C881BEDBBB2EF48315F1585AAE809A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F750, Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F3F986

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0aecebc1d54f5456ffaa011591b6173fcb6bf8858cb7892a13e6998430574da8
Instruction ID: 3e946e869436b7d9c98d0da10493146bfec5d2bae268d1912a5ae44c5fa29afa
Opcode Fuzzy Hash: 0aecebc1d54f5456ffaa011591b6173fcb6bf8858cb7892a13e6998430574da8
Instruction Fuzzy Hash: 05914971D00229DFDF14CFA8C884BEDBBB2EF48315F1485A9E809A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E294E8, Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E2972E

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 254ce498a1c5272f475309a176c3dae8433254e5f0a29818ef6af793adc2c004
Instruction ID: f12b57fa23d9b9726c2052f4a9b75b014d70f7fe58df1e558295162faab69e50
Opcode Fuzzy Hash: 254ce498a1c5272f475309a176c3dae8433254e5f0a29818ef6af793adc2c004
Instruction Fuzzy Hash: 937144B0A00B158FD724DF69D54479AB7F5BF88308F10992ED48AD7A50DB34E849CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E2FE2D, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E2FF4A

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e88fab1ec3406790a287ec999483769639682cf40bef41f3d2326dbe3dd8732c
Instruction ID: f498b38f310f8fbdd3fd60a37855cad6619186bb062fc3851e80d11a72052375
Opcode Fuzzy Hash: e88fab1ec3406790a287ec999483769639682cf40bef41f3d2326dbe3dd8732c
Instruction Fuzzy Hash: 4851BDB1D003199FDB14CF9AC984ADEBBB5BF88314F24852AE81AAB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E2DD34, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E2FF4A

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8c6101a240410eb7eda060c53b116e54a48212fc88f45fbe67bb66231351abcf
Instruction ID: ee4c2d0b1c301bb9e126cdeb5ff0483d3b864b0f8ac1a3e9085df71bdd69ff05
Opcode Fuzzy Hash: 8c6101a240410eb7eda060c53b116e54a48212fc88f45fbe67bb66231351abcf
Instruction Fuzzy Hash: BA51AFB1D00319DFDB14CF9AC984ADEBBB5FF88314F24852AE819AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E25374, Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E25431

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2ab64d305ea64f84c6d96a68a9c11a5dc11367aa3c277554484a77fbae7c087a
Instruction ID: 368ee77985e5927ad41bb822848fc3b2889919e95021ae5ceee1cb21b2d7e216
Opcode Fuzzy Hash: 2ab64d305ea64f84c6d96a68a9c11a5dc11367aa3c277554484a77fbae7c087a
Instruction Fuzzy Hash: 0B41F4B1C00629CBDB24CF99C9847DDBBB5BF48309F64846AD40ABB251DB71694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E23E6C, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E25431

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a36a78624b2f1271b33a0062b0620543f19f240a45e3362691f52abb21cd4716
Instruction ID: bbf3908be5e3f81cd5f5f839bdd4c4b98520716ed3345b909b08d91c1c73e206
Opcode Fuzzy Hash: a36a78624b2f1271b33a0062b0620543f19f240a45e3362691f52abb21cd4716
Instruction Fuzzy Hash: 8E41D470C00628CFDB24CF99C9447DDBBB5BF49308F60846AD40ABB255DB756949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E2BABA, Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E2B9BE,?,?,?,?,?), ref: 02E2BA7F

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7e81eb418d85e90f50f3963a115e6f3638996e789a2d27e2f48b530800aa5e46
Instruction ID: 721b7d517517f7d6b1fbeefe50fbd34e2482736e4600024829d8c75365a711cf
Opcode Fuzzy Hash: 7e81eb418d85e90f50f3963a115e6f3638996e789a2d27e2f48b530800aa5e46
Instruction Fuzzy Hash: DD316B79650208BFEB089F64F89ABA97BA9F788300F50802AF9058F3C9DB745805CF11

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F4C0, Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F3F558

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0c65904dc72cc9c803d2c3c992df438b2412c5f0232317a0e4697f6b277a0a91
Instruction ID: 4d8141bf56190fe928d1280f95a7b9690852c5e760f2a2739dc29c7f8b58a714
Opcode Fuzzy Hash: 0c65904dc72cc9c803d2c3c992df438b2412c5f0232317a0e4697f6b277a0a91
Instruction Fuzzy Hash: C02166B1D003599FCB10CFA9C884BEEBBF5FF48314F10882AE959A3250C7389944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F4C8, Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F3F558

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a3170a669e7ea3d00fdc0b7cbd00109df4aa991ca7eaa35e2d05191b1c869172
Instruction ID: 564ac2444a9568be08414461036853040d3953b85d29d74c7cd0beedf956e028
Opcode Fuzzy Hash: a3170a669e7ea3d00fdc0b7cbd00109df4aa991ca7eaa35e2d05191b1c869172
Instruction Fuzzy Hash: 72212A71D003599FCB10CFA9C9847DEBBF5FF48314F108829E919A7250D7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E2A224, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E2B9BE,?,?,?,?,?), ref: 02E2BA7F

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3065818738190a31d90decc1142dafef505095680f01d4608228e32fdc5370ba
Instruction ID: f32caeeb5834d627e3814ca041438ab1d2ed4782adb10ff6158aea59b3f5ec58
Opcode Fuzzy Hash: 3065818738190a31d90decc1142dafef505095680f01d4608228e32fdc5370ba
Instruction Fuzzy Hash: 1421E3B5900219EFDB10CF9AD584BDEBBF8EB48324F14841AE915A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E2B9F0, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E2B9BE,?,?,?,?,?), ref: 02E2BA7F

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f92ecb5746774ab2fe0e84130c8c5c20181c9a6204239dd7e22435a92f77ba41
Instruction ID: 0299a859afc91b7621021f227d0e516f7b7d043914af7f006d71ec958794eaef
Opcode Fuzzy Hash: f92ecb5746774ab2fe0e84130c8c5c20181c9a6204239dd7e22435a92f77ba41
Instruction Fuzzy Hash: 6221D2B5D002199FDB10CFA9D584ADEBBF8EF48324F14845AE955A3310D378A944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F330, Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08F3F3AE

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 961f1228c2fa92fa350862641a0aa1d248e19812cb68be5e1fd966f0481eb907
Instruction ID: 12914d2233af2f2a7764253fc29cc946316459b5effeca536a32ef1727f84746
Opcode Fuzzy Hash: 961f1228c2fa92fa350862641a0aa1d248e19812cb68be5e1fd966f0481eb907
Instruction Fuzzy Hash: EF2118B1D002199FDB10CFAAC5847EEBBF4EF48224F14842AD959A7250DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F328, Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08F3F3AE

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 76b6998c84e0d497629c0fef8ca367c2219a650db8b94440b92bca4728b7dee1
Instruction ID: 20977f7a3ffbf4bebb3054f9992291453df72f79aae64afac137e25dea3adeee
Opcode Fuzzy Hash: 76b6998c84e0d497629c0fef8ca367c2219a650db8b94440b92bca4728b7dee1
Instruction Fuzzy Hash: 042138B2D006198FDB10CFA9C5847EEBBF4EF48224F14842AD959A7250DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F5B3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F3F638

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 43248b59e43bd6927d64f82cc91ffc062fb80ce60b65e72eccfeff46b8823d28
Instruction ID: b510ea6e9df9dcea1b65026cd85ae7e67e6769db1dcc2c3849cec065a09b565d
Opcode Fuzzy Hash: 43248b59e43bd6927d64f82cc91ffc062fb80ce60b65e72eccfeff46b8823d28
Instruction Fuzzy Hash: 512128B5D00219DFCB00CFA9C9847EEBBB5FF48324F10882AE919A7250D7389545DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F5B8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F3F638

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b045dedd77bd9f14c998b548e24f9d8a6f57c8e47a1434e86e50a7c78362b0bb
Instruction ID: 7342ed3d233d7282074f93e151637ca88b8669ed1373f4ddfca75e0f92dc03ae
Opcode Fuzzy Hash: b045dedd77bd9f14c998b548e24f9d8a6f57c8e47a1434e86e50a7c78362b0bb
Instruction Fuzzy Hash: 56213C71C003599FCB10CFA9C9446EEBBF5FF48314F50882AE519A7250D7349545DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F400, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F3F476

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3cfdef1f210c14d7a77dec3c64efeea417bf084f35d692b7bd17b85576fdc9f3
Instruction ID: 6502d0af5c8d5bb8b32ffac672968ed33135994c8de2224d96dab62adaea89f3
Opcode Fuzzy Hash: 3cfdef1f210c14d7a77dec3c64efeea417bf084f35d692b7bd17b85576fdc9f3
Instruction Fuzzy Hash: 071147B1C002499FDB10CFA9C8446EFBBF5EF88314F24881AE915A7260C7359954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E28818, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E297A9,00000800,00000000,00000000), ref: 02E299BA

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c20d75bdef688417bfb23709f4478c58111988f2cc2f02a1d767679ee35df726
Instruction ID: 62c510944654110ec6e2a34608716641561165fbc5aafc692172dd730330df55
Opcode Fuzzy Hash: c20d75bdef688417bfb23709f4478c58111988f2cc2f02a1d767679ee35df726
Instruction Fuzzy Hash: 821106B59002199FDB10CF9AC544BDEBBF4EB48324F24942AD416B7610C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E2994A, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E297A9,00000800,00000000,00000000), ref: 02E299BA

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d73583e6828e3ba6fa0d698f8927542f39966bb1ca2de1fa29b4d6849554108f
Instruction ID: c9ea22275b5f5e407256157bbfc3a1a5b4ec62db695ab9b015274eb74582f8fe
Opcode Fuzzy Hash: d73583e6828e3ba6fa0d698f8927542f39966bb1ca2de1fa29b4d6849554108f
Instruction Fuzzy Hash: 621114B69002199FDB10CF9AC948BDEFBF8EB88324F14842AD456B7710C374A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F408, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F3F476

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9b83ff3db127a0860c969f594479ccc8d00eb29a3608fe2087987ea7a8375c45
Instruction ID: 9214323c097dee606837728dfd1794b977849c6fe72e1cc6a8ef9cad4b97957d
Opcode Fuzzy Hash: 9b83ff3db127a0860c969f594479ccc8d00eb29a3608fe2087987ea7a8375c45
Instruction Fuzzy Hash: C3115671C002089FCB10CFAAC844AEFBBF9EF88324F248819E515A7260CB359954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F280, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08F3F2E2

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9579063cb89516f99b2cb4371b5cee3c0184fe3e9105a77d5facc83fb646d0a9
Instruction ID: 8fdb8e353aa34d3b8d9e038527674a35f96d201ab21c55d9d379e49381967502
Opcode Fuzzy Hash: 9579063cb89516f99b2cb4371b5cee3c0184fe3e9105a77d5facc83fb646d0a9
Instruction Fuzzy Hash: 43115B71D002588FCB10CFAAC4447DEFBF8EF88224F248819C415B7250CB349544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08F3F278, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08F3F2E2

Memory Dump Source

Source File: 0000000D.00000002.323872175.0000000008F30000.00000040.00000001.sdmp, Offset: 08F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8f30000_dhcpmon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 49da931e0fd1ce01fef8215438a16baf2bfa833c6f9fd6d7c5190ed56e05aed8
Instruction ID: b19db670bd4cf6b92fdda2e431d844d31c6a69e2d785c9533413a753c81bb430
Opcode Fuzzy Hash: 49da931e0fd1ce01fef8215438a16baf2bfa833c6f9fd6d7c5190ed56e05aed8
Instruction Fuzzy Hash: 0D1146B5D00218CFDB10CFA9C5457EEBBF8EB48228F24882AC419B7250CB389544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E296C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E2972E

Memory Dump Source

Source File: 0000000D.00000002.310479745.0000000002E20000.00000040.00000001.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e20000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f90f4c0009b35f90a9f34a2d8320d0e031cd7a1f68358623e24959367f8286ac
Instruction ID: f6e2459c09cb30aedca0235462b9228c35e4ac0f9b7d7b6a2b49b76151bd77bb
Opcode Fuzzy Hash: f90f4c0009b35f90a9f34a2d8320d0e031cd7a1f68358623e24959367f8286ac
Instruction Fuzzy Hash: AA1102B5C006598FCB10CF9AC444ADEFBF4EF88328F24842AD419A7610C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 072113B0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07211415

Memory Dump Source

Source File: 0000000D.00000002.322905090.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7210000_dhcpmon.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: df9af44e80d7f67ca0fedb8a4c9a52e031b197e25e60d68d67834ae9aaafdbba
Instruction ID: 2632c25b703a4f1bddbcc3cf3946119e5e120b0196af17e51fb4900fb508da2d
Opcode Fuzzy Hash: df9af44e80d7f67ca0fedb8a4c9a52e031b197e25e60d68d67834ae9aaafdbba
Instruction Fuzzy Hash: A21122B58006499FDB10CF99C988BDEBBF8EB48324F24881AD555A7650D374A594CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 072113B8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07211415

Memory Dump Source

Source File: 0000000D.00000002.322905090.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7210000_dhcpmon.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 75dff280abe511119475f3d9f7427703cf1d8b45e01550899fadc298cf942d86
Instruction ID: b32f928df740758bfe6843d036668b6347b7025b47afe4a59f274af34705f70c
Opcode Fuzzy Hash: 75dff280abe511119475f3d9f7427703cf1d8b45e01550899fadc298cf942d86
Instruction Fuzzy Hash: 281115B58007499FDB10CF9AC488BDEBBF8FB48324F20841AE515A3610D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310214671.0000000002CCD000.00000040.00000001.sdmp, Offset: 02CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ccd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b13c6484cb674819bf5c5e83672003bac5ec609bf38d9bace822ce264d6593
Instruction ID: 4f28007207984e3dfd6540ef596b7f0899f08772016d076e4678784440e1cf28
Opcode Fuzzy Hash: b8b13c6484cb674819bf5c5e83672003bac5ec609bf38d9bace822ce264d6593
Instruction Fuzzy Hash: 122103B2500244DFDB05DF54D9C0B66BB65FBC8328F34897DE8060B246C336D946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310214671.0000000002CCD000.00000040.00000001.sdmp, Offset: 02CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ccd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7830a167ef2e7a6593bb15219790260fb851239f6737c058ac368af2ece7d662
Instruction ID: de3009285e80b271b9da97d1f371dc3df13809fd7895b98b818d4d7ac5f01e1a
Opcode Fuzzy Hash: 7830a167ef2e7a6593bb15219790260fb851239f6737c058ac368af2ece7d662
Instruction Fuzzy Hash: F721F1B1500204EFDB08CF50D9C4B66BB69FB88324F34897DE90A0B206C336E846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310250829.0000000002CDD000.00000040.00000001.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2cdd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a267440be1bc6ce209a5afa039626f94c937acc7d0f8b7a7831ff50d819540b9
Instruction ID: 085422a2f9bdaf42094b61b1e0de7ed799a2d8bd75345cc896d5c80ed6602e43
Opcode Fuzzy Hash: a267440be1bc6ce209a5afa039626f94c937acc7d0f8b7a7831ff50d819540b9
Instruction Fuzzy Hash: 2121F2B2904344DFDB14DF24D9C4B66BBA5FBC8314F64C969E90A4B246C336E847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310250829.0000000002CDD000.00000040.00000001.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2cdd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef0e2c9fdefce79a4879d6d9f44b67375275b5b53a5d19c948b15fcb2560397
Instruction ID: 11172c5d7210e5fb65c3990d4eaad0720a8ca032bc2faed17117ba17c21e83b8
Opcode Fuzzy Hash: aef0e2c9fdefce79a4879d6d9f44b67375275b5b53a5d19c948b15fcb2560397
Instruction Fuzzy Hash: 082104B2D04204EFDB01DF50D9C4B26BBA5FBC8318F24C9A9E94A4B242C336DC46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CDD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310250829.0000000002CDD000.00000040.00000001.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2cdd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6452cf3eafa8a30f112eff2f77168766ff2ea9e5067856a44bde97278d7a6c27
Instruction ID: ce8fed7ec7e4391981fd72d3154405f4663732ba22bd00e3d342198450d83508
Opcode Fuzzy Hash: 6452cf3eafa8a30f112eff2f77168766ff2ea9e5067856a44bde97278d7a6c27
Instruction Fuzzy Hash: E42192765093C08FDB12CF24D590715BF71EB86214F28C5EAD8498F697C33AD80ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310214671.0000000002CCD000.00000040.00000001.sdmp, Offset: 02CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ccd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction ID: b57dbd719317a8805ba58b5a82e74bc95f8f0d6656334516d584b333ead0b801
Opcode Fuzzy Hash: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction Fuzzy Hash: A711B176404280DFDB15CF10D9C4B16BF71FB84324F24C6ADD9094B656C33AE55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310214671.0000000002CCD000.00000040.00000001.sdmp, Offset: 02CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ccd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction ID: e22e54892c5bdea913049d1bf8f1a8d4a2bec68e5541a704b7cef5adbfe43c00
Opcode Fuzzy Hash: b026a0720eb4c1b8d48423054a7afd16db820eb83f93aa31c1cd4e4ebf195fc9
Instruction Fuzzy Hash: A211B1B6804280CFDB11CF10D9C4B16BF71FB84324F24C6ADD8450B656C336D55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CDD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310250829.0000000002CDD000.00000040.00000001.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2cdd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction ID: 456c81dade9bdff61a28adb9374008086aa88b04d95fae87ef11e55c82387c90
Opcode Fuzzy Hash: 8d4a615e5dd6ad9fc3a51053f329abe2d5799460873fcff9efeb80ce7cc17978
Instruction Fuzzy Hash: 78119D76904280DFDB11CF10D5C4B15FBB1FB84324F28C6ADD94A4B656C33AD94ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD651, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310214671.0000000002CCD000.00000040.00000001.sdmp, Offset: 02CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ccd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9786b9063f453df7d84f989647ea7b5fe6b1bcdf47be11482809ffd575ed68ad
Instruction ID: 3251bcb6fde61266b9433057a6943ec1825782f8d06bffa35c93ba7a41bf2be7
Opcode Fuzzy Hash: 9786b9063f453df7d84f989647ea7b5fe6b1bcdf47be11482809ffd575ed68ad
Instruction Fuzzy Hash: 00012B714043449AE710AE56CD847A7FBDCEF80238F288C6EED4E5F242D3789884C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD650, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.310214671.0000000002CCD000.00000040.00000001.sdmp, Offset: 02CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ccd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba2d806fa101bac59ee84c26fc5105979415028bc6ab6770f428b1e2c3f0265
Instruction ID: aa4553d1650d7ff787091a82b4f9388c84959dafb7bd366a209479822e0a7d70
Opcode Fuzzy Hash: 1ba2d806fa101bac59ee84c26fc5105979415028bc6ab6770f428b1e2c3f0265
Instruction Fuzzy Hash: AFF06271404744AEEB109A1ADD84B62FF98EF81734F28C85AED095F292D3789944CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report INFORMATION CONFIRMATION LIST.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 0311FCE3, Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Function 031194E8, Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Function 0311DD18, Relevance: 1.6, APIs: 1, Instructions: 127
COMMON