Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report NEW PRICE ENQUIRY FROM PHILLIPINES.exe

Overview

General Information

Sample Name:NEW PRICE ENQUIRY FROM PHILLIPINES.exe
Analysis ID:552509
MD5:ca0d3ca986e592ec436052f747f833c0
SHA1:8bdb8ebea5444c42c75c0b30ac8628d06c6cbce0
SHA256:5e4ccf3d7a2885ab1f1ce83b855ec6f8b771b1731fad4807f8d57b250a5505ad
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
.NET source code contains method to dynamically call methods (often used by packers)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NEW PRICE ENQUIRY FROM PHILLIPINES.exe (PID: 976 cmdline: "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" MD5: CA0D3CA986E592EC436052F747F833C0)
    • NEW PRICE ENQUIRY FROM PHILLIPINES.exe (PID: 6296 cmdline: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe MD5: CA0D3CA986E592EC436052F747F833C0)
      • schtasks.exe (PID: 4544 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5096 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 4800 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 5644 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
  • dhcpmon.exe (PID: 3832 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 6728 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 6780 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
    • dhcpmon.exe (PID: 6992 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CA0D3CA986E592EC436052F747F833C0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 119 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      8.2.dhcpmon.exe.2e38774.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        11.2.dhcpmon.exe.399ec60.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        11.2.dhcpmon.exe.399ec60.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        Click to see the 238 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ParentImage: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ParentProcessId: 6296, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp, ProcessId: 4544

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe, ProcessId: 6296, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeVirustotal: Detection: 33%Perma Link
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeMetadefender: Detection: 28%Perma Link
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeReversingLabs: Detection: 48%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 28%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 48%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: 18.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: PermissionSetAttribu.pdb source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmp

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: kashbilly.ddns.net
        Source: global trafficTCP traffic: 192.168.2.6:49757 -> 197.211.59.104:6060
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://ati.amd.com/developer/compressonator.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://developer.nvidia.com/object/dds_thumbnail_viewer.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/dds
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://igaeditor.sourceforge.net/latest.txt
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342Whttp://iga
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://igaeditor.sourceforge.net/wiki/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://micolous.id.au/projects/bf21
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/.
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://registry.gimp.org/plugin?id=4816
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://www.gimp.org/windows/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://www.radgametools.com/bnkdown.htm
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: http://www.totalbf2142.com/forums/showthread.php?t=5342
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeString found in binary or memory: https://sourceforge.net/svn/?group_id=181663
        Source: unknownDNS traffic detected: queries for: kashbilly.ddns.net
        Source: dhcpmon.exe, 00000008.00000002.414092694.0000000001098000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3186a78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2b89688.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.5910000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.dhcpmon.exe.2ea9688.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2f997bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3186a78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3186a78.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.2b89688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2b89688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.5910000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.5910000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 18.2.dhcpmon.exe.2ea9688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.2ea9688.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_0310C3F4
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_0310E9F8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_0310E9E8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076EBFE8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E3568
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E35C0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E35B0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0161E471
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0161E480
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0161BBD4
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_05796550
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_05793E30
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579C6F0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579D308
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_05794A50
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579D640
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_05794B08
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_0579D3C6
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 2_2_06BE0040
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_0492C3F4
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_0492E9F2
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_0492E9F8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066BBFE8
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B3569
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B35C0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B35B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0133C3F4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0133E9F4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0133E9F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053E7F98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053E7F89
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_053E6988
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_0753BFE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_07533569
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_075335C0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_075335B0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 9_2_0123E471
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 9_2_0123E480
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 9_2_0123BBD4
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374253790.0000000000E24000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368688896.0000000000DF4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630982055.0000000006860000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.404702459.00000000001D4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.420068237.0000000000BF4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionSetAttribu.exeH vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.420894807.000000000125A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeVirustotal: Detection: 33%
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeMetadefender: Detection: 28%
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeReversingLabs: Detection: 48%
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile read: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeJump to behavior
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe"
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" 0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PRICE ENQUIRY FROM PHILLIPINES.exe.logJump to behavior
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1E56.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@22/8@7/1
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [content] ([active], [activate], [expire], [dayparts], [contentType], [descriptor], [size], [viewcount], [viewlimit], [displayafter], [props], [data]) VALUES (@active, @activate, @expire, @dayparts, @contentType, @descriptor, @size, @viewcount, @viewlimit, @displayafter, @props, @data); SELECT last_insert_rowid() AS contentId;
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{51e297f7-7758-4d32-86af-0aafa20a3f56}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: dhcpmon.exe.2.dr, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.3.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.7.unpack, mee/Keg.csCryptographic APIs: 'CreateDecryptor'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: PermissionSetAttribu.pdb source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.2.dr, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.3.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.7.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.11.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, GZ/v4.cs.Net Code: OFU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)Show sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d60000.0.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: dhcpmon.exe.2.dr, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.3.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.7.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.11.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.d30000.1.unpack, mee/Keg.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 0_2_076E61E9 push ebx; iretd
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B8E8B push es; ret
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B8B7F push es; iretd
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeCode function: 5_2_066B61E9 push ebx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_075361E9 push ebx; iretd
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78570516551
        Source: initial sampleStatic PE information: section name: .text entropy: 7.78570516551
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeFile opened: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 8.2.dhcpmon.exe.2e38774.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.315dc78.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3188810.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.2e0dbdc.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.241dc78.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.2448810.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.2848774.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.281dbdc.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 772Thread sleep time: -39926s >= -30000s
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 6224Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 5888Thread sleep time: -10145709240540247s >= -30000s
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 6420Thread sleep time: -38463s >= -30000s
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 5104Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4400Thread sleep time: -35164s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5964Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe TID: 6636Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5024Thread sleep time: -33769s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5596Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6704Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6824Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeWindow / User API: threadDelayed 6516
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeWindow / User API: threadDelayed 2954
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeWindow / User API: foregroundWindowGot 874
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 39926
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 38463
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 35164
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 33769
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.627007908.00000000012E5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: dhcpmon.exe, 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeProcess created: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628991392.00000000031C7000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629899402.0000000003722000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629391684.00000000032A7000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629737178.0000000003592000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629584039.00000000033FD000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630799975.00000000065EB000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629242696.0000000003259000.00000004.00000001.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.631357745.00000000070ED000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.631186845.0000000006BBC000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630964365.000000000685D000.00000004.00000010.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629433411.00000000032B4000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: &Program Manager
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628490640.0000000001C40000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e8b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a4bed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f84bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b705c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.359ec60.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e905c4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f7b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.41a05c4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.3f805c4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b6b78e.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6704629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.356c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f8ec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3f5c040.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42ac040.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.396c040.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.3b74bed.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.42dec60.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.419b78e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.dhcpmon.exe.3e94bed.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.399ec60.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.dhcpmon.exe.3de9930.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.4139930.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.33f9930.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.dhcpmon.exe.37f9930.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4800, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3832, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6992, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading2Input Capture21Security Software Discovery21Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552509 Sample: NEW PRICE ENQUIRY FROM PHIL... Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 49 kashbilly.ddns.net 2->49 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 11 other signatures 2->59 9 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 3 2->9         started        12 dhcpmon.exe 2 2->12         started        14 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 2 2->14         started        16 dhcpmon.exe 3 2->16         started        signatures3 process4 file5 47 NEW PRICE ENQUIRY ...PHILLIPINES.exe.log, ASCII 9->47 dropped 18 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 1 12 9->18         started        23 dhcpmon.exe 12->23         started        25 dhcpmon.exe 12->25         started        27 dhcpmon.exe 12->27         started        29 NEW PRICE ENQUIRY FROM PHILLIPINES.exe 2 14->29         started        31 dhcpmon.exe 16->31         started        process6 dnsIp7 51 kashbilly.ddns.net 197.211.59.104, 6060 globacom-asNG Nigeria 18->51 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, data 18->43 dropped 45 C:\Users\user\AppData\Local\...\tmp1E56.tmp, XML 18->45 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 33 schtasks.exe 1 18->33         started        35 schtasks.exe 1 18->35         started        file8 signatures9 process10 process11 37 conhost.exe 33->37         started        39 conhost.exe 35->39         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        NEW PRICE ENQUIRY FROM PHILLIPINES.exe34%VirustotalBrowse
        NEW PRICE ENQUIRY FROM PHILLIPINES.exe29%MetadefenderBrowse
        NEW PRICE ENQUIRY FROM PHILLIPINES.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe29%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.6700000.8.unpack100%AviraTR/NanoCore.fadteDownload File
        18.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.2.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        2.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.NEW PRICE ENQUIRY FROM PHILLIPINES.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.0.dhcpmon.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://micolous.id.au/projects/bf210%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg2790%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.totalbf2142.com/forums/showthread.php?t=53420%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://micolous.id.au/projects/bf2142/.0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://micolous.id.au/0%Avira URL Cloudsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://micolous.id.au/projects/bf2142/0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        kashbilly.ddns.net
        		197.211.59.104
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                		high
                http://igaeditor.sourceforge.net/wiki/NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                  		high
                  http://ati.amd.com/developer/compressonator.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                    		high
                    http://www.fontbureau.com/designers/?NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                      		high
                      https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://igaeditor.sourceforge.net/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers?NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                            		high
                            http://igaeditor.sourceforge.net/latest.txtNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                              		high
                              http://www.radgametools.com/bnkdown.htmNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                		high
                                http://developer.nvidia.com/object/dds_thumbnail_viewer.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                  		high
                                  http://micolous.id.au/projects/bf21NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.tiro.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342Whttp://igaNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.gimp.org/windows/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                        		high
                                        http://www.carterandcone.comlNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.totalbf2142.com/forums/showthread.php?t=5342NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://registry.gimp.org/plugin?id=4816NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                              		high
                                              https://sourceforge.net/svn/?group_id=181663NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://sourceforge.net/project/showfiles.php?group_id=181663NEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                                  		high
                                                  http://www.fontbureau.com/designers8NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://micolous.id.au/projects/bf2142/.NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fonts.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleaseNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://developer.nvidia.com/object/photoshop_dds_plugins.htmlNEW PRICE ENQUIRY FROM PHILLIPINES.exefalse
                                                        		high
                                                        http://www.zhongyicts.com.cnNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/ddsNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.374107152.0000000000D62000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000002.00000000.368593122.0000000000D32000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000000.388098487.0000000000112000.00000002.00020000.sdmp, dhcpmon.exe, 00000008.00000002.412733612.0000000000942000.00000002.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000009.00000000.402338906.0000000000B32000.00000002.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.434374416.0000000000282000.00000002.00020000.sdmp, dhcpmon.exe, 0000000C.00000002.430902824.0000000000762000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.415826447.00000000003C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000000.420349952.0000000000172000.00000002.00020000.sdmp, dhcpmon.exe, 00000012.00000000.429703752.0000000000A42000.00000002.00020000.sdmpfalse
                                                          		high
                                                          http://micolous.id.au/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sakkal.comNEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.378302484.00000000071F2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://micolous.id.au/projects/bf2142/NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000000.00000002.379123716.0000000007C20000.00000004.00020000.sdmp, NEW PRICE ENQUIRY FROM PHILLIPINES.exe, 00000005.00000002.412733612.0000000006B30000.00000004.00020000.sdmp, dhcpmon.exe, 00000008.00000002.418987180.0000000007370000.00000004.00020000.sdmp, dhcpmon.exe, 0000000B.00000002.440433881.0000000006CA0000.00000004.00020000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          197.211.59.104
                                                          		kashbilly.ddns.netNigeria
                                                          		37148globacom-asNGfalse

                                                          General Information

                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                          Analysis ID:552509
                                                          Start date:13.01.2022
                                                          Start time:13:16:18
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 14m 2s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:30
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@22/8@7/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 1% (good quality ratio 0.8%)
                                                          • Quality average: 60.1%
                                                          • Quality standard deviation: 34.3%
                                                          HCA Information:
                                                          • Successful, ratio: 96%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          13:17:30API Interceptor907x Sleep call for process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe modified
                                                          13:17:38AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          13:17:39Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" s>$(Arg0)
                                                          13:17:42Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                          13:17:45API Interceptor2x Sleep call for process: dhcpmon.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):784384
                                                          Entropy (8bit):7.771015792978407
                                                          Encrypted:false
                                                          SSDEEP:12288:jOi+lUcXEM6qtPn8tbobGFuWWBJxMDL08n1bimg9jnwHF6KmB5I:6i8XE+P8tb5uWWBM30UbejnsGBW
                                                          MD5:CA0D3CA986E592EC436052F747F833C0
                                                          SHA1:8BDB8EBEA5444C42C75C0B30AC8628D06C6CBCE0
                                                          SHA-256:5E4CCF3D7A2885AB1F1CE83B855EC6F8B771B1731FAD4807F8D57B250A5505AD
                                                          SHA-512:87B8DDE119068E43BEF447A59523565291392F949AFFA3F5F17713A9FCFD0D7C6F466D0E1C0D0F01F8B779A0753279A291C3CB4CA6E604EFB54E390896FD26B3
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 29%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 49%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.a................................. ... ....@.. ....................................@.....................................K....@..L....................`......Q................................................ ............... ..H............text........ ...................... ..`.sdata....... ......................@....rsrc...L....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW PRICE ENQUIRY FROM PHILLIPINES.exe.log
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1310
                                                          Entropy (8bit):5.345651901398759
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                          MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                          SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                          SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                          SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1310
                                                          Entropy (8bit):5.345651901398759
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                          MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                          SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                          SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                          SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1327
                                                          Entropy (8bit):5.13500670090371
                                                          Encrypted:false
                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0VC0xtn:cbk4oL600QydbQxIYODOLedq3Z0j
                                                          MD5:552FA7AF5F278BF5AC6355B61EFF095D
                                                          SHA1:DD4F276FA31AEB75DE477977A807CEE673B5560A
                                                          SHA-256:94E06F5F5470FA4BDC3EB130222C8352A763C2CEC568029C89808427C979A88A
                                                          SHA-512:5E3ABBDDBCA04376DDF72301BDE566A09543CE9D0DF4A2B5EE69AA755FFF151662E2013DAFEEDDEC722D23E1E23F90DAA36B0CDF8D0D7222296A2D2027FBD9D8
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                          C:\Users\user\AppData\Local\Temp\tmp3019.tmp
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):1310
                                                          Entropy (8bit):5.109425792877704
                                                          Encrypted:false
                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:n78:g
                                                          MD5:4FAF345031681B7C40273BC270C99E93
                                                          SHA1:6660712EC422C5B5B9D93EB34CD741DA8316E92B
                                                          SHA-256:4BC0DAC6D0EFDF3534421E795FABFC7943B0ACCC6ECCF113DEFBBD5EA9D7FF54
                                                          SHA-512:6B9B03BE05E6804C27D953E6B57317090F4874E7E545442BB04608BEBB6970EBB22079809FCDF9CF15FB4825373CA2398E6D7757CF5349CD836A47AA65BC05D2
                                                          Malicious:true
                                                          Reputation:unknown
                                                          Preview: M.=....H
                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                          Process:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):4.683114454101657
                                                          Encrypted:false
                                                          SSDEEP:3:oNN2+WrHk2yJn:oNN2RY2Y
                                                          MD5:E26B66631E3B80974878501C3F4E3923
                                                          SHA1:8F9E67EF46D390D95BC032028B6D3C3C66F02504
                                                          SHA-256:09DC45D6D6EEE1813B8F6FD9F73632C6FD99E6E1C5AD63FCF024FC48BEBE2342
                                                          SHA-512:BCC92B9669351D76C9AD44393BD52269DF2C033B80D5FA2B6902D72EAD8FEFCF931B8D3B64FB5B18ABDEB9795FD7565DE68E2596E513BDA1F2C79C4A8BAD3612
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.771015792978407
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                          File name:NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          File size:784384
                                                          MD5:ca0d3ca986e592ec436052f747f833c0
                                                          SHA1:8bdb8ebea5444c42c75c0b30ac8628d06c6cbce0
                                                          SHA256:5e4ccf3d7a2885ab1f1ce83b855ec6f8b771b1731fad4807f8d57b250a5505ad
                                                          SHA512:87b8dde119068e43bef447a59523565291392f949affa3f5f17713a9fcfd0d7c6f466d0e1c0d0f01f8b779a0753279a291c3cb4ca6e604efb54e390896fd26b3
                                                          SSDEEP:12288:jOi+lUcXEM6qtPn8tbobGFuWWBJxMDL08n1bimg9jnwHF6KmB5I:6i8XE+P8tb5uWWBM30UbejnsGBW
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.a................................. ... ....@.. ....................................@................................

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4c06ee
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x61DE33C2 [Wed Jan 12 01:49:54 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc06a00x4b.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x54c.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xc06510x1c.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xbe6f40xbe800False0.887363383776data7.78570516551IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .sdata0xc20000x2040x400False0.458984375data4.099059951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xc40000x54c0x600False0.341145833333data2.76865116557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xc60000xc0x200False0.041015625data0.0776331623432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0xc40e80xb0GLS_BINARY_LSB_FIRST
                                                          RT_GROUP_ICON0xc41980x14data
                                                          RT_VERSION0xc41ac0x3a0data

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightCopyright micolous 2006-2007
                                                          Assembly Version0.1.6.0
                                                          InternalNamePermissionSetAttribu.exe
                                                          FileVersion0.1.6.0
                                                          CompanyNamemicolous
                                                          LegalTrademarks
                                                          Comments
                                                          ProductNameIGA Ad Cache Editor
                                                          ProductVersion0.1.6.0
                                                          FileDescriptionIGA Ad Cache Editor
                                                          OriginalFilenamePermissionSetAttribu.exe

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          01/13/22-13:17:42.583459UDP254DNS SPOOF query response with TTL of 1 min. and no authority53642678.8.8.8192.168.2.6
                                                          01/13/22-13:17:59.424978UDP254DNS SPOOF query response with TTL of 1 min. and no authority53603428.8.8.8192.168.2.6
                                                          01/13/22-13:18:51.386646UDP254DNS SPOOF query response with TTL of 1 min. and no authority53549828.8.8.8192.168.2.6
                                                          01/13/22-13:19:10.154501UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500108.8.8.8192.168.2.6

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 13, 2022 13:17:42.602291107 CET497576060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:17:45.600858927 CET497576060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:17:51.617057085 CET497576060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:17:59.467313051 CET497606060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:02.477304935 CET497606060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:08.477777958 CET497606060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:16.771198988 CET497676060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:19.931900024 CET497676060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:25.932369947 CET497676060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:33.630498886 CET498126060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:36.730123997 CET498126060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:42.730626106 CET498126060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:51.395036936 CET498206060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:18:54.403465986 CET498206060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:00.422612906 CET498206060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:10.156089067 CET498476060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:13.152012110 CET498476060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:19.168152094 CET498476060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:28.224725008 CET498496060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:31.231589079 CET498496060192.168.2.6197.211.59.104
                                                          Jan 13, 2022 13:19:37.233083963 CET498496060192.168.2.6197.211.59.104

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 13, 2022 13:17:42.564188957 CET6426753192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:17:42.583458900 CET53642678.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:17:59.405607939 CET6034253192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:17:59.424978018 CET53603428.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:18:16.749871969 CET5838453192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:18:16.769443035 CET53583848.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:18:33.609488964 CET5033953192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:18:33.628575087 CET53503398.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:18:51.365160942 CET5498253192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:18:51.386646032 CET53549828.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:19:10.133548021 CET5001053192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:19:10.154500961 CET53500108.8.8.8192.168.2.6
                                                          Jan 13, 2022 13:19:28.203470945 CET6211653192.168.2.68.8.8.8
                                                          Jan 13, 2022 13:19:28.220710039 CET53621168.8.8.8192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Jan 13, 2022 13:17:42.564188957 CET192.168.2.68.8.8.80x2e71Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:17:59.405607939 CET192.168.2.68.8.8.80x6c08Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:16.749871969 CET192.168.2.68.8.8.80xe1a1Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:33.609488964 CET192.168.2.68.8.8.80xc4c4Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:51.365160942 CET192.168.2.68.8.8.80x37c9Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:10.133548021 CET192.168.2.68.8.8.80x6a08Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:28.203470945 CET192.168.2.68.8.8.80x1b92Standard query (0)kashbilly.ddns.netA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Jan 13, 2022 13:17:42.583458900 CET8.8.8.8192.168.2.60x2e71No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:17:59.424978018 CET8.8.8.8192.168.2.60x6c08No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:16.769443035 CET8.8.8.8192.168.2.60xe1a1No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:33.628575087 CET8.8.8.8192.168.2.60xc4c4No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:18:51.386646032 CET8.8.8.8192.168.2.60x37c9No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:10.154500961 CET8.8.8.8192.168.2.60x6a08No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)
                                                          Jan 13, 2022 13:19:28.220710039 CET8.8.8.8192.168.2.60x1b92No error (0)kashbilly.ddns.net197.211.59.104A (IP address)IN (0x0001)

                                                          Code Manipulations

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 976 Parent PID: 4756

                                                          General

                                                          Start time:13:17:22
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe"
                                                          Imagebase:0xd60000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.376963060.0000000004139000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.375378918.0000000003131000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6296 Parent PID: 976

                                                          General

                                                          Start time:13:17:30
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Imagebase:0xd30000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.372599487.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.371642803.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.372095812.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.621084177.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.628691337.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.629967529.0000000004199000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.630554205.0000000005910000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.630910643.0000000006700000.00000004.00020000.sdmp, Author: Joe Security
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000000.371099003.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Analysis Process: schtasks.exe PID: 4544 Parent PID: 6296

                                                          General

                                                          Start time:13:17:35
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1E56.tmp
                                                          Imagebase:0xa40000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 4712 Parent PID: 4544

                                                          General

                                                          Start time:13:17:37
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff61de10000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6384 Parent PID: 936

                                                          General

                                                          Start time:13:17:39
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe" 0
                                                          Imagebase:0x110000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.405885407.00000000023F1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.407251723.00000000033F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Analysis Process: schtasks.exe PID: 5096 Parent PID: 6296

                                                          General

                                                          Start time:13:17:40
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp3019.tmp
                                                          Imagebase:0xa40000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: conhost.exe PID: 5396 Parent PID: 5096

                                                          General

                                                          Start time:13:17:41
                                                          Start date:13/01/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff61de10000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: dhcpmon.exe PID: 4800 Parent PID: 936

                                                          General

                                                          Start time:13:17:42
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                                          Imagebase:0x940000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.415561117.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.416144322.0000000003DE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Antivirus matches:
                                                          • Detection: 29%, Metadefender, Browse
                                                          • Detection: 49%, ReversingLabs
                                                          Reputation:low

                                                          Analysis Process: NEW PRICE ENQUIRY FROM PHILLIPINES.exe PID: 6028 Parent PID: 6384

                                                          General

                                                          Start time:13:17:43
                                                          Start date:13/01/2022
                                                          Path:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\NEW PRICE ENQUIRY FROM PHILLIPINES.exe
                                                          Imagebase:0xb30000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.401599890.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.399852630.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.419651818.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.422650561.0000000003F39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.400872945.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.402275607.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.422458870.0000000002F31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Analysis Process: dhcpmon.exe PID: 3832 Parent PID: 3440

                                                          General

                                                          Start time:13:17:46
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                          Imagebase:0x280000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.438498582.00000000037F9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.436456049.00000000027F1000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Analysis Process: dhcpmon.exe PID: 5644 Parent PID: 4800

                                                          General

                                                          Start time:13:17:46
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0x760000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.407997541.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.410261588.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.432251461.0000000003B29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.407141178.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.432084742.0000000002B21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.430827795.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.408833633.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Analysis Process: dhcpmon.exe PID: 6728 Parent PID: 3832

                                                          General

                                                          Start time:13:17:51
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0x3c0000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Analysis Process: dhcpmon.exe PID: 6780 Parent PID: 3832

                                                          General

                                                          Start time:13:17:53
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0x170000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Analysis Process: dhcpmon.exe PID: 6992 Parent PID: 3832

                                                          General

                                                          Start time:13:17:56
                                                          Start date:13/01/2022
                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                          Imagebase:0xa40000
                                                          File size:784384 bytes
                                                          MD5 hash:CA0D3CA986E592EC436052F747F833C0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.429662916.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.432836142.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.451199404.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.431618289.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000000.430712249.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.449718665.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.451040533.0000000002E41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                          Reputation:low

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >