Edit tour

Windows Analysis Report
Revised invoice.exe

Overview

General Information

Sample Name:	Revised invoice.exe
Analysis ID:	560096
MD5:	4bab1b0e7bbb12d6280a75eb3475b45b
SHA1:	2c6da100c498a0862cafc338b7570ad3714c716e
SHA256:	1a4032263b7f92e02d65cac6f7e483c1897dafb8b9c47937758fec3da22f154c
Tags:	exenanocore
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w10x64

Revised invoice.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\Revised invoice.exe" MD5: 4BAB1B0E7BBB12D6280A75EB3475B45B)

Revised invoice.exe (PID: 6692 cmdline: C:\Users\user\Desktop\Revised invoice.exe MD5: 4BAB1B0E7BBB12D6280A75EB3475B45B)

dhcpmon.exe (PID: 2904 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 4BAB1B0E7BBB12D6280A75EB3475B45B)

dhcpmon.exe (PID: 5644 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 4BAB1B0E7BBB12D6280A75EB3475B45B)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c48b433d-6e7a-4320-ac18-2f1271be", "Group": "Default", "Domain1": "derarawfile10.ddns.net", "Domain2": "212.192.246250", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f15:$a: NanoCore 0x42f6e:$a: NanoCore 0x42fab:$a: NanoCore 0x43024:$a: NanoCore 0x566cf:$a: NanoCore 0x566e4:$a: NanoCore 0x56719:$a: NanoCore 0x6f19b:$a: NanoCore 0x6f1b0:$a: NanoCore 0x6f1e5:$a: NanoCore 0x42f77:$b: ClientPlugin 0x42fb4:$b: ClientPlugin 0x438b2:$b: ClientPlugin 0x438bf:$b: ClientPlugin 0x5648b:$b: ClientPlugin 0x564a6:$b: ClientPlugin 0x564d6:$b: ClientPlugin 0x566ed:$b: ClientPlugin 0x56722:$b: ClientPlugin 0x6ef57:$b: ClientPlugin 0x6ef72:$b: ClientPlugin
00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.470438107.000000000319C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6c8a5:$x1: NanoCore.ClientPluginHost 0x9f2c5:$x1: NanoCore.ClientPluginHost 0xd1ae5:$x1: NanoCore.ClientPluginHost 0x6c8e2:$x2: IClientNetworkHost 0x9f302:$x2: IClientNetworkHost 0xd1b22:$x2: IClientNetworkHost 0x70415:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa2e35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd5655:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6c60d:$a: NanoCore 0x6c61d:$a: NanoCore 0x6c851:$a: NanoCore 0x6c865:$a: NanoCore 0x6c8a5:$a: NanoCore 0x9f02d:$a: NanoCore 0x9f03d:$a: NanoCore 0x9f271:$a: NanoCore 0x9f285:$a: NanoCore 0x9f2c5:$a: NanoCore 0xd184d:$a: NanoCore 0xd185d:$a: NanoCore 0xd1a91:$a: NanoCore 0xd1aa5:$a: NanoCore 0xd1ae5:$a: NanoCore 0x6c66c:$b: ClientPlugin 0x6c86e:$b: ClientPlugin 0x6c8ae:$b: ClientPlugin 0x9f08c:$b: ClientPlugin 0x9f28e:$b: ClientPlugin 0x9f2ce:$b: ClientPlugin
00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b104:$a: NanoCore 0x1b5f1:$a: NanoCore 0x1bc8d:$a: NanoCore 0x25c93:$a: NanoCore 0x25cb9:$a: NanoCore 0x25d15:$a: NanoCore 0x32b7b:$a: NanoCore 0x32bd4:$a: NanoCore 0x32c07:$a: NanoCore 0x32e33:$a: NanoCore 0x32eaf:$a: NanoCore 0x334c8:$a: NanoCore 0x33611:$a: NanoCore 0x33ae5:$a: NanoCore 0x33dcc:$a: NanoCore 0x33de3:$a: NanoCore 0x3cf37:$a: NanoCore 0x3cfb3:$a: NanoCore 0x3f896:$a: NanoCore 0x44e6d:$a: NanoCore 0x44ee7:$a: NanoCore
0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6c8a5:$x1: NanoCore.ClientPluginHost 0x9f2c5:$x1: NanoCore.ClientPluginHost 0xd1ae5:$x1: NanoCore.ClientPluginHost 0x6c8e2:$x2: IClientNetworkHost 0x9f302:$x2: IClientNetworkHost 0xd1b22:$x2: IClientNetworkHost 0x70415:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa2e35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd5655:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6c60d:$a: NanoCore 0x6c61d:$a: NanoCore 0x6c851:$a: NanoCore 0x6c865:$a: NanoCore 0x6c8a5:$a: NanoCore 0x9f02d:$a: NanoCore 0x9f03d:$a: NanoCore 0x9f271:$a: NanoCore 0x9f285:$a: NanoCore 0x9f2c5:$a: NanoCore 0xd184d:$a: NanoCore 0xd185d:$a: NanoCore 0xd1a91:$a: NanoCore 0xd1aa5:$a: NanoCore 0xd1ae5:$a: NanoCore 0x6c66c:$b: ClientPlugin 0x6c86e:$b: ClientPlugin 0x6c8ae:$b: ClientPlugin 0x9f08c:$b: ClientPlugin 0x9f28e:$b: ClientPlugin 0x9f2ce:$b: ClientPlugin
0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.406375161.0000000003311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6943b:$a: NanoCore 0x69494:$a: NanoCore 0x694d1:$a: NanoCore 0x6954a:$a: NanoCore 0x6949d:$b: ClientPlugin 0x694da:$b: ClientPlugin 0x69dd8:$b: ClientPlugin 0x69de5:$b: ClientPlugin 0x5f09a:$e: KeepAlive 0x69925:$g: LogClientMessage 0x698a5:$i: get_Connected 0x59871:$j: #=q 0x598a1:$j: #=q 0x598dd:$j: #=q 0x59905:$j: #=q 0x59935:$j: #=q 0x59965:$j: #=q 0x59995:$j: #=q 0x599c5:$j: #=q 0x599e1:$j: #=q 0x59a11:$j: #=q
00000000.00000002.406688531.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Revised invoice.exe PID: 6272	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x55319:$x1: NanoCore.ClientPluginHost 0x55356:$x2: IClientNetworkHost 0x58e47:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63ecd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6fe83:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b20e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Revised invoice.exe PID: 6272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Revised invoice.exe PID: 6272	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Revised invoice.exe PID: 6272	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x54fe6:$a: NanoCore 0x54ff6:$a: NanoCore 0x550b5:$a: NanoCore 0x550c4:$a: NanoCore 0x552c5:$a: NanoCore 0x552d9:$a: NanoCore 0x55319:$a: NanoCore 0x60537:$a: NanoCore 0x60549:$a: NanoCore 0x60585:$a: NanoCore 0x6c4ed:$a: NanoCore 0x6c4ff:$a: NanoCore 0x6c53b:$a: NanoCore 0x77878:$a: NanoCore 0x7788a:$a: NanoCore 0x778c6:$a: NanoCore 0x55045:$b: ClientPlugin 0x5510e:$b: ClientPlugin 0x552e2:$b: ClientPlugin 0x55322:$b: ClientPlugin 0x60552:$b: ClientPlugin
Process Memory Space: Revised invoice.exe PID: 6692	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5e66e:$x1: NanoCore.ClientPluginHost 0xd770c:$x1: NanoCore.ClientPluginHost 0x11b178:$x1: NanoCore.ClientPluginHost 0x1a1232:$x1: NanoCore.ClientPluginHost 0x5e6ab:$x2: IClientNetworkHost 0xd76f9:$x2: IClientNetworkHost 0x11b1b5:$x2: IClientNetworkHost 0x1a124c:$x2: IClientNetworkHost 0x6219c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6d222:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Revised invoice.exe PID: 6692	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Revised invoice.exe PID: 6692	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x50f71:$a: NanoCore 0x51008:$a: NanoCore 0x5e33b:$a: NanoCore 0x5e34b:$a: NanoCore 0x5e40a:$a: NanoCore 0x5e419:$a: NanoCore 0x5e61a:$a: NanoCore 0x5e62e:$a: NanoCore 0x5e66e:$a: NanoCore 0x6988c:$a: NanoCore 0x6989e:$a: NanoCore 0x698da:$a: NanoCore 0x7c1a0:$a: NanoCore 0x7c1b4:$a: NanoCore 0x7c684:$a: NanoCore 0x96da3:$a: NanoCore 0x96db7:$a: NanoCore 0xb0cf7:$a: NanoCore 0xd6bad:$a: NanoCore 0xd707e:$a: NanoCore 0xd770c:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 2904	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x22a27:$x1: NanoCore.ClientPluginHost 0x22a64:$x2: IClientNetworkHost 0x26555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x315db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3d591:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4891c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 2904	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 2904	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 2904	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x226f4:$a: NanoCore 0x22704:$a: NanoCore 0x227c3:$a: NanoCore 0x227d2:$a: NanoCore 0x229d3:$a: NanoCore 0x229e7:$a: NanoCore 0x22a27:$a: NanoCore 0x2dc45:$a: NanoCore 0x2dc57:$a: NanoCore 0x2dc93:$a: NanoCore 0x39bfb:$a: NanoCore 0x39c0d:$a: NanoCore 0x39c49:$a: NanoCore 0x44f86:$a: NanoCore 0x44f98:$a: NanoCore 0x44fd4:$a: NanoCore 0x22753:$b: ClientPlugin 0x2281c:$b: ClientPlugin 0x229f0:$b: ClientPlugin 0x22a30:$b: ClientPlugin 0x2dc60:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 5644	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe13:$x1: NanoCore.ClientPluginHost 0x3e03a:$x1: NanoCore.ClientPluginHost 0x6af2d:$x1: NanoCore.ClientPluginHost 0xe50:$x2: IClientNetworkHost 0x3e054:$x2: IClientNetworkHost 0x6af47:$x2: IClientNetworkHost 0x4941:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf9c7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5644	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5644	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xae0:$a: NanoCore 0xaf0:$a: NanoCore 0xbaf:$a: NanoCore 0xbbe:$a: NanoCore 0xdbf:$a: NanoCore 0xdd3:$a: NanoCore 0xe13:$a: NanoCore 0xc031:$a: NanoCore 0xc043:$a: NanoCore 0xc07f:$a: NanoCore 0x3cb6a:$a: NanoCore 0x3dfa4:$a: NanoCore 0x3dffd:$a: NanoCore 0x3e03a:$a: NanoCore 0x3e0b3:$a: NanoCore 0x3e96c:$a: NanoCore 0x3e9bf:$a: NanoCore 0x3e9f8:$a: NanoCore 0x3ea6b:$a: NanoCore 0x4603d:$a: NanoCore 0x46050:$a: NanoCore
Click to see the 55 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.dhcpmon.exe.413b136.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
12.2.dhcpmon.exe.413b136.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
12.2.dhcpmon.exe.413b136.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.413b136.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
4.2.Revised invoice.exe.29fca78.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.Revised invoice.exe.29fca78.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.dhcpmon.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.dhcpmon.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Revised invoice.exe.43a8138.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Revised invoice.exe.43a8138.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Revised invoice.exe.43a8138.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Revised invoice.exe.43a8138.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.0.Revised invoice.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.Revised invoice.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.Revised invoice.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.Revised invoice.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.0.Revised invoice.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.Revised invoice.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.Revised invoice.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.Revised invoice.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.Revised invoice.exe.2a6e750.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb7e7:$x1: NanoCore.ClientPluginHost 0x1371d:$x1: NanoCore.ClientPluginHost 0x19700:$x1: NanoCore.ClientPluginHost 0x2317b:$x1: NanoCore.ClientPluginHost 0x2d5b7:$x1: NanoCore.ClientPluginHost 0x385a9:$x1: NanoCore.ClientPluginHost 0x4435f:$x1: NanoCore.ClientPluginHost 0x500b6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb820:$x2: IClientNetworkHost 0x13756:$x2: IClientNetworkHost 0x232d8:$x2: IClientNetworkHost 0x2d5f0:$x2: IClientNetworkHost 0x385c3:$x2: IClientNetworkHost 0x44379:$x2: IClientNetworkHost 0x500f3:$x2: IClientNetworkHost
4.2.Revised invoice.exe.2a6e750.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb7e7:$a: NanoCore 0xb863:$a: NanoCore 0xe146:$a: NanoCore 0x1371d:$a: NanoCore 0x13797:$a: NanoCore 0x19700:$a: NanoCore 0x1974a:$a: NanoCore 0x1a3a4:$a: NanoCore 0x2317b:$a: NanoCore 0x23265:$a: NanoCore 0x240dc:$a: NanoCore
4.2.Revised invoice.exe.2a54acc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23c1:$x1: NanoCore.ClientPluginHost 0x23ae:$x2: IClientNetworkHost
4.2.Revised invoice.exe.2a54acc.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x23c1:$x2: NanoCore.ClientPluginHost 0x1565:$s4: PipeCreated
12.2.dhcpmon.exe.413ff6c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
12.2.dhcpmon.exe.413ff6c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
12.2.dhcpmon.exe.413ff6c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.dhcpmon.exe.4145718.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.4145718.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.dhcpmon.exe.4145718.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.4145718.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.Revised invoice.exe.4375718.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Revised invoice.exe.4375718.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Revised invoice.exe.4375718.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Revised invoice.exe.4375718.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.0.Revised invoice.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.Revised invoice.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.Revised invoice.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.Revised invoice.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Revised invoice.exe.335da74.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.dhcpmon.exe.31b0df8.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.0.Revised invoice.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.Revised invoice.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.Revised invoice.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.Revised invoice.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Revised invoice.exe.33e0f18.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
12.2.dhcpmon.exe.315965c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.dhcpmon.exe.315965c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.dhcpmon.exe.413ff6c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.dhcpmon.exe.413ff6c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.413ff6c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.4178138.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.4178138.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.dhcpmon.exe.4178138.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.4178138.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.dhcpmon.exe.4144595.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
12.2.dhcpmon.exe.4144595.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
12.2.dhcpmon.exe.4144595.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.312da44.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.Revised invoice.exe.2a5a114.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.2.Revised invoice.exe.2a5a114.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.dhcpmon.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.dhcpmon.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.0.Revised invoice.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.0.Revised invoice.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.0.Revised invoice.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.0.Revised invoice.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.Revised invoice.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.Revised invoice.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.Revised invoice.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.Revised invoice.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.dhcpmon.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.dhcpmon.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.dhcpmon.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.dhcpmon.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.0.dhcpmon.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.0.dhcpmon.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.Revised invoice.exe.2a5a114.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d1f:$x1: NanoCore.ClientPluginHost 0x1fe23:$x1: NanoCore.ClientPluginHost 0x27d59:$x1: NanoCore.ClientPluginHost 0x2dd3c:$x1: NanoCore.ClientPluginHost 0x377b7:$x1: NanoCore.ClientPluginHost 0x41bf3:$x1: NanoCore.ClientPluginHost 0x4cbe5:$x1: NanoCore.ClientPluginHost 0x5899b:$x1: NanoCore.ClientPluginHost 0x646f2:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d58:$x2: IClientNetworkHost 0x1fe5c:$x2: IClientNetworkHost 0x27d92:$x2: IClientNetworkHost 0x37914:$x2: IClientNetworkHost 0x41c2c:$x2: IClientNetworkHost 0x4cbff:$x2: IClientNetworkHost 0x589b5:$x2: IClientNetworkHost 0x6472f:$x2: IClientNetworkHost
4.2.Revised invoice.exe.2a5a114.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a67:$a: NanoCore 0x15ac0:$a: NanoCore 0x15af3:$a: NanoCore 0x15d1f:$a: NanoCore 0x15d9b:$a: NanoCore 0x163b4:$a: NanoCore 0x164fd:$a: NanoCore 0x169d1:$a: NanoCore 0x16cb8:$a: NanoCore 0x16ccf:$a: NanoCore 0x1fe23:$a: NanoCore 0x1fe9f:$a: NanoCore 0x22782:$a: NanoCore 0x27d59:$a: NanoCore 0x27dd3:$a: NanoCore 0x2dd3c:$a: NanoCore 0x2dd86:$a: NanoCore 0x2e9e0:$a: NanoCore
4.2.Revised invoice.exe.2a54acc.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3638:$a: NanoCore 0x3b25:$a: NanoCore 0x41c1:$a: NanoCore 0xe1c7:$a: NanoCore 0xe1ed:$a: NanoCore 0xe249:$a: NanoCore 0x1b0af:$a: NanoCore 0x1b108:$a: NanoCore 0x1b13b:$a: NanoCore 0x1b367:$a: NanoCore 0x1b3e3:$a: NanoCore 0x1b9fc:$a: NanoCore 0x1bb45:$a: NanoCore 0x1c019:$a: NanoCore 0x1c300:$a: NanoCore 0x1c317:$a: NanoCore 0x2546b:$a: NanoCore 0x254e7:$a: NanoCore 0x27dca:$a: NanoCore 0x2d3a1:$a: NanoCore 0x2d41b:$a: NanoCore
0.2.Revised invoice.exe.43a8138.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Revised invoice.exe.43a8138.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Revised invoice.exe.43a8138.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x1119f3:$c: ProjectData 0x179413:$c: ProjectData 0x10a82:$d: DESCrypto
11.2.dhcpmon.exe.4178138.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.4178138.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.4178138.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x1119f3:$c: ProjectData 0x179413:$c: ProjectData 0x10a82:$d: DESCrypto
11.2.dhcpmon.exe.4145718.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x753cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x7540a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x78f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.4145718.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.4145718.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0x75135:$a: NanoCore 0x75145:$a: NanoCore 0x75379:$a: NanoCore 0x7538d:$a: NanoCore 0x753cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin
0.2.Revised invoice.exe.4375718.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x753cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x7540a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x78f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Revised invoice.exe.4375718.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Revised invoice.exe.4375718.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0x75135:$a: NanoCore 0x75145:$a: NanoCore 0x75379:$a: NanoCore 0x7538d:$a: NanoCore 0x753cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin
Click to see the 101 entries

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Revised invoice.exe, ProcessId: 6692, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Revised invoice.exe, ProcessId: 6692, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Revised invoice.exe, ProcessId: 6692, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c48b433d-6e7a-4320-ac18-2f1271be", "Group": "Default", "Domain1": "derarawfile10.ddns.net", "Domain2": "212.192.246250", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: Revised invoice.exe

ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: derarawfile10.ddns.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 23%

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.4144595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR

Machine Learning detection for sample

Source: Revised invoice.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 4.0.Revised invoice.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.Revised invoice.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.Revised invoice.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.Revised invoice.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.Revised invoice.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.Revised invoice.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: Revised invoice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Revised invoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 212.192.246250
Source: Malware configuration extractor	URLs: derarawfile10.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: derarawfile10.ddns.net

Source: Joe Sandbox View

ASN Name: GUDAEV-ASRU GUDAEV-ASRU

Source: global traffic

TCP traffic: 192.168.2.6:49760 -> 85.202.169.154:1187

Source: Revised invoice.exe, 00000000.00000003.356633716.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356841100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356915572.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Revised invoice.exe, 00000000.00000003.357972442.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357162871.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356996176.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.358148540.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357338520.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357778044.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357505167.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com#
Source: Revised invoice.exe, 00000000.00000003.356841100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356915572.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comX2
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: Revised invoice.exe, 00000000.00000003.394245963.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410670704.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.394510528.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.394372093.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.394089096.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Revised invoice.exe, 00000000.00000003.369688026.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370035509.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369763768.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369845471.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370258143.0000000006233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Revised invoice.exe, 00000000.00000003.370879570.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369688026.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370035509.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370392686.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370542926.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369763768.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370742797.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369845471.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370258143.0000000006233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html#
Source: Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com#
Source: Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com-
Source: Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comF%
Source: Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comac
Source: Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comces00
Source: Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comcr_
Source: Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.come-d
Source: Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comes22
Source: Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comint
Source: Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368137719.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367578995.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368054486.0000000006234000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367728953.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367876523.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367578995.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comoaV2
Source: Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comros
Source: Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comx%
Source: Revised invoice.exe, 00000000.00000002.406349724.0000000001A67000.00000004.00000020.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Revised invoice.exe, 00000000.00000003.394089096.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Revised invoice.exe, 00000000.00000003.373947160.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Revised invoice.exe, 00000000.00000003.380642548.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.380409949.000000000624E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Revised invoice.exe, 00000000.00000003.380409949.000000000624E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlt
Source: Revised invoice.exe, 00000000.00000003.377056015.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377333224.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377181974.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377517366.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Revised invoice.exe, 00000000.00000003.377291056.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377794899.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.378110058.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377030811.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377497410.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377619595.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.379352983.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377931382.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377160989.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlefa
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Revised invoice.exe, 00000000.00000003.394089096.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersH0
Source: Revised invoice.exe, 00000000.00000003.383733657.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: Revised invoice.exe, 00000000.00000003.374079868.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: Revised invoice.exe, 00000000.00000002.406349724.0000000001A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comica
Source: Revised invoice.exe, 00000000.00000002.406349724.0000000001A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Revised invoice.exe, 00000000.00000003.364432152.0000000006234000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.362696477.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363910398.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363022467.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363989041.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363760748.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363384800.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363563968.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364542463.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364298191.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.362926280.0000000006234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Revised invoice.exe, 00000000.00000003.363910398.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363989041.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363760748.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363384800.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363563968.0000000006230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Revised invoice.exe, 00000000.00000003.363384800.0000000006230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn//
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Revised invoice.exe, 00000000.00000003.363022467.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn;
Source: Revised invoice.exe, 00000000.00000003.362696477.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.362926280.0000000006234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnh
Source: Revised invoice.exe, 00000000.00000003.363022467.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnno
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Revised invoice.exe, 00000000.00000003.387775919.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387963973.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388779559.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388306201.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388109557.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388535003.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387576262.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Revised invoice.exe, 00000000.00000003.387775919.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389674141.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387963973.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388779559.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389422039.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388306201.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388109557.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389227415.000000000622C000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388535003.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389804972.000000000622C000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387576262.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389543097.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388898410.000000000622C000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389047637.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm2
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr8b1
Source: Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kras
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Revised invoice.exe, 00000000.00000003.372065578.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.372345940.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.372196965.0000000006231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.f
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Revised invoice.exe, 00000000.00000003.353759018.0000000006212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com/
Source: Revised invoice.exe, 00000000.00000003.353759018.0000000006212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.361492036.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Revised invoice.exe, 00000000.00000003.361492036.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr=
Source: Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.361492036.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krn-uy1
Source: Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krs-c
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Revised invoice.exe, 00000000.00000003.364201705.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comg
Source: Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Revised invoice.exe, 00000000.00000003.373403063.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.383925059.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384255026.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384447138.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384106288.0000000006237000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373545548.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384668334.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373690092.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384524248.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Revised invoice.exe, 00000000.00000003.383925059.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384255026.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384447138.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384106288.0000000006237000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384524248.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de.
Source: Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Revised invoice.exe, 00000000.00000003.373403063.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.374079868.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373947160.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373821747.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373545548.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373690092.0000000006230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deoa&
Source: Revised invoice.exe, 00000000.00000003.374215463.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373403063.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.374079868.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373947160.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373821747.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373545548.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373690092.0000000006230000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deoi
Source: Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn(ii)
Source: Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn-
Source: Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnZ
Source: Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368137719.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367578995.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368054486.0000000006234000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367728953.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367876523.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnicrc
Source: Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnr-c

Source: unknown

DNS traffic detected: queries for: derarawfile10.ddns.net

Source: dhcpmon.exe, 0000000B.00000002.468932199.00000000014E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dhcpmon.exe, 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.4144595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Revised invoice.exe.29fca78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Revised invoice.exe.2a6e750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Revised invoice.exe.2a6e750.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Revised invoice.exe.2a54acc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.413ff6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.dhcpmon.exe.315965c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.413ff6c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.dhcpmon.exe.4144595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Revised invoice.exe.2a5a114.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Revised invoice.exe.2a5a114.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Revised invoice.exe.2a5a114.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Revised invoice.exe.2a54acc.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Revised invoice.exe

Source: Revised invoice.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Revised invoice.exe.29fca78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Revised invoice.exe.29fca78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Revised invoice.exe.2a6e750.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Revised invoice.exe.2a6e750.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Revised invoice.exe.2a54acc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Revised invoice.exe.2a54acc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.413ff6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.413ff6c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.dhcpmon.exe.315965c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.315965c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.413ff6c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.413ff6c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.dhcpmon.exe.4144595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.dhcpmon.exe.4144595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.Revised invoice.exe.2a5a114.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Revised invoice.exe.2a5a114.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Revised invoice.exe.2a5a114.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Revised invoice.exe.2a5a114.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Revised invoice.exe.2a54acc.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_057AE5F0
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_057AE5E3
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_057AC1A4
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CFDE90
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CF4DE9
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CF4DF8
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CF5938
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CF4B80
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CF4B90
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_00E4E480
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_00E4E471
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_00E4BBD4
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_02999788
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_0299F5F8
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_0299A610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_016EC1A4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_016EE5E2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_016EE5F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_0731DE90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_07314DF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_07314DE9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_07314B90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_07314B80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_07314A90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_07315938
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0172E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0172E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_0172BBD4

Source: Revised invoice.exe, 00000000.00000002.405741786.000000000104C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIIterat.exeZ vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.406488219.0000000003373000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIIterat.exeZ vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.406488219.0000000003373000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.406488219.0000000003373000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.406375161.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.406375161.0000000003311000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.406688531.00000000033CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Revised invoice.exe
Source: Revised invoice.exe, 00000000.00000002.411311769.0000000007BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000000.400488211.000000000055C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIIterat.exeZ vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll" vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000003.432033154.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.617973159.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Revised invoice.exe
Source: Revised invoice.exe, 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Revised invoice.exe
Source: Revised invoice.exe	Binary or memory string: OriginalFilenameIIterat.exeZ vs Revised invoice.exe

Source: Revised invoice.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Revised invoice.exe

ReversingLabs: Detection: 16%

Source: C:\Users\user\Desktop\Revised invoice.exe

File read: C:\Users\user\Desktop\Revised invoice.exe:Zone.Identifier

Jump to behavior

Source: Revised invoice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Revised invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Revised invoice.exe "C:\Users\user\Desktop\Revised invoice.exe"
Source: C:\Users\user\Desktop\Revised invoice.exe	Process created: C:\Users\user\Desktop\Revised invoice.exe C:\Users\user\Desktop\Revised invoice.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Revised invoice.exe	Process created: C:\Users\user\Desktop\Revised invoice.exe C:\Users\user\Desktop\Revised invoice.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\Revised invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\Revised invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Revised invoice.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@15/2

Source: C:\Users\user\Desktop\Revised invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Revised invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Revised invoice.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{c48b433d-6e7a-4320-ac18-2f1271be71c2}

Source: C:\Users\user\Desktop\Revised invoice.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 4.0.Revised invoice.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Revised invoice.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.Revised invoice.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Revised invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Revised invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Revised invoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Revised invoice.exe, iiInfinityuser.Application/Form1.cs	.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Revised invoice.exe.f80000.0.unpack, iiInfinityuser.Application/Form1.cs	.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Revised invoice.exe.f80000.0.unpack, iiInfinityuser.Application/Form1.cs	.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.4.dr, iiInfinityuser.Application/Form1.cs	.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Revised invoice.exe.490000.3.unpack, iiInfinityuser.Application/Form1.cs	.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Revised invoice.exe.490000.9.unpack, iiInfinityuser.Application/Form1.cs	.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Revised invoice.exe.490000.1.unpack, iiInfinityuser.Application/Form1.cs	.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Revised invoice.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Revised invoice.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_057AF9B3 pushad ; iretd
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CF967B push edi; iretd
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 0_2_05CF4A90 push 00000049h; iretd
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_0299A20C push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_029969F8 pushad ; retf
Source: C:\Users\user\Desktop\Revised invoice.exe	Code function: 4_2_029969FA push esp; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_016EF9B2 pushad ; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_07220E75 push FFFFFF8Bh; iretd
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_0731967B push edi; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.52802106198
Source: initial sample	Static PE information: section name: .text entropy: 7.52802106198

Source: 4.0.Revised invoice.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.0.Revised invoice.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Revised invoice.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Revised invoice.exe

File opened: C:\Users\user\Desktop\Revised invoice.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\Revised invoice.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Revised invoice.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Revised invoice.exe.335da74.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.31b0df8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.33e0f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.312da44.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.470438107.000000000319C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.406375161.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.406688531.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Revised invoice.exe, 00000000.00000002.406375161.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.406688531.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000B.00000002.470438107.000000000319C000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Revised invoice.exe, 00000000.00000002.406375161.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.406688531.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000B.00000002.470438107.000000000319C000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Revised invoice.exe TID: 6276	Thread sleep time: -40946s >= -30000s
Source: C:\Users\user\Desktop\Revised invoice.exe TID: 6324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Revised invoice.exe TID: 7076	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\Desktop\Revised invoice.exe TID: 7000	Thread sleep time: -80000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5372	Thread sleep time: -37882s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6184	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Revised invoice.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Revised invoice.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Revised invoice.exe	Window / User API: threadDelayed 5304
Source: C:\Users\user\Desktop\Revised invoice.exe	Window / User API: threadDelayed 3429
Source: C:\Users\user\Desktop\Revised invoice.exe	Window / User API: foregroundWindowGot 437
Source: C:\Users\user\Desktop\Revised invoice.exe	Window / User API: foregroundWindowGot 519

Source: C:\Users\user\Desktop\Revised invoice.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Revised invoice.exe	Thread delayed: delay time: 40946
Source: C:\Users\user\Desktop\Revised invoice.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Revised invoice.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 37882
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Revised invoice.exe, 00000004.00000002.618114211.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dhcpmon.exe, 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Revised invoice.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Revised invoice.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Revised invoice.exe	Process created: C:\Users\user\Desktop\Revised invoice.exe C:\Users\user\Desktop\Revised invoice.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000004.00000002.619178408.0000000002B51000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Users\user\Desktop\Revised invoice.exe VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Users\user\Desktop\Revised invoice.exe VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Revised invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Revised invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Revised invoice.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.4144595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Revised invoice.exe, 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Revised invoice.exe, 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Class10gdelegate0_0gclass0_0gstruct0_0gclass1_0gclass2_0gclass3_0class9_0smethod_0type_0contextValue_0string_0ulong_0bool_0gparam_0cultureInfo_0lastInputInfo_0stringBuilder_0resourceManager_0timer_0uintptr_0memoryStatus_0object_0uint_0ushort_0iclientDataHost_0iclientNetworkHost_0iclientAppHost_0GDelegate0GClass0GStruct0Class11gdelegate0_1class1_1smethod_1string_1ulong_1bool_1cultureInfo_1intptr_1object_1uint_1Class1`1IEnumerable`1ContextValue`1IEnumerator`1List`1GClass1Class12Int32class1_2smethod_2ulong_2intptr_2int_2KeyValuePair`2Dictionary`2GClass2Class13class1_3smethod_3GClass3Class14smethod_4Class4Class15method_5Class5Class16method_6Class6Class17method_7Class7Class18method_8Class8Class19method_9Class9<Module>System.IOTvalue__GetFirstRunDataProjectDatamscorlibSystem.Collections.GenericMicrosoft.VisualBasicGetWindowThreadProcessIdGetProcessByIdAddConnectionStateChangedConnectionFailedPipeClosedPipeCreatedget_BytesReceivedSynchronizedCoreCommandSystemCommandConnectionCommandRoundGetMethodmethodNetworkInterfaceStackTraceCreateInstancedefaultInstanceDivideGetHashCodeget_UnicodeAddRangeChangeBuildingHostCacheEndInvokeBeginInvokeIDisposableRuntimeMethodHandleGetModuleHandleRuntimeTypeHandleGetTypeFromHandleGetProcessHandleToSingleAvailablePageFileTotalPageFileset_WindowStyleProcessWindowStyleget_NameGetApplicationExecutableNameGetClientExecutableNameGetRandomFileNameGetFileNameget_FullNameget_ProcessNameGetNameAssemblyNameGetApplicationFriendlyNameGetClientFriendlyNameStackFrameGetFrameDateTimeOneCombineCommandTypeCheckForSyncLockOnValueTypeget_DeclaringTypeNanoCoreMethodBaseApplicationBaseApplicationSettingsBaseDisposeUpdateMulticastDelegateEditorBrowsableStateCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeStandardModuleAttributeHideModuleNameAttributeAssemblyTrademarkAttributeDebuggerHiddenAttributeAssemblyFileVersionAttributeMyGroupCollectionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeCLSCompliantAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteget_Valueset_ValueLookupPrivilegeValueGetObjectValueGetValueMoveRemoveget_SizeInitializeSizeOfSystem.ThreadingEncodingToStringMathget_ExecutablePathGetTempPathobjAsyncCallbackTimerCallbackcallbackIClientNetworkTotalPhysicalAvailablePhsyicalMarshalDecimalMicrosoft.VisualBasic.MyServices.InternalAvailableVirtualTotalVirtualAvailableExVirtualSystem.ComponentModelHandleConnectionCommandUninstalladvapi32.dllkernel32.dlluser32.dllCoreClientPlugin.dllObjectFlowControlget_Itemset_ItemSystemEnumBooleanget_MetadataTokenOpenProcessTokenGetPublicKeyTokenMinNanoCore.ClientPluginCoreClientPluginGetIsRunningAsAdminApplicationSystem.Net.NetworkInformationUnicastIPAddressInformationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionUnicastIPAddressInformationCollectionIClientNameObject
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Revised invoice.exe, 00000004.00000003.432033154.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Revised invoice.exe, 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Revised invoice.exe, 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 12.2.dhcpmon.exe.413b136.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.413ff6c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.4144595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Revised invoice.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Revised invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.43a8138.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4178138.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.4145718.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Revised invoice.exe.4375718.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Revised invoice.exe PID: 6692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5644, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	112 Process Injection	2 Masquerading	21 Input Capture	1 Query Registry	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Revised invoice.exe	16%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoBot
Revised invoice.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	23%	ReversingLabs	ByteCode-MSIL.Trojan.DarkStealerLoader

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.Revised invoice.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.Revised invoice.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.dhcpmon.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.Revised invoice.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.Revised invoice.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.dhcpmon.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.dhcpmon.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.0.Revised invoice.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.dhcpmon.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.0.dhcpmon.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.Revised invoice.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.comcr_	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com/	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnicrc	0%	Avira URL Cloud	safe
http://www.carterandcone.comros	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.com#	0%	URL Reputation	safe
http://www.carterandcone.comes	0%	URL Reputation	safe
http://www.carterandcone.comx%	0%	Avira URL Cloud	safe
http://www.monotype.f	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn-	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn;	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm2	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnr-c	0%	Avira URL Cloud	safe
http://www.carterandcone.com-	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnno	0%	Avira URL Cloud	safe
http://www.carterandcone.comes22	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sandoll.co.krs-c	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.carterandcone.comces00	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.urwpp.deoi	0%	URL Reputation	safe
http://www.urwpp.de.	0%	Avira URL Cloud	safe
http://www.goodfont.co.kras	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.krn-uy1	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.carterandcone.comac	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.comF%	0%	Avira URL Cloud	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnh	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html#	0%	Avira URL Cloud	safe
http://www.carterandcone.comic	0%	URL Reputation	safe
http://www.sandoll.co.kr=	0%	Avira URL Cloud	safe
http://www.urwpp.deoa&	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr8b1	0%	Avira URL Cloud	safe
http://www.carterandcone.come	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.zhongyicts.com.cn(ii)	0%	Avira URL Cloud	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.fontbureau.comica	0%	Avira URL Cloud	safe
http://www.carterandcone.comi	0%	URL Reputation	safe
derarawfile10.ddns.net	100%	Avira URL Cloud	malware
http://www.carterandcone.comm	0%	URL Reputation	safe
http://www.carterandcone.come-d	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.carterandcone.comint	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
212.192.246250	0%	Avira URL Cloud	safe
http://www.carterandcone.comoaV2	0%	Avira URL Cloud	safe
http://fontfabrik.comX2	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cnZ	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://fontfabrik.com#	0%	Avira URL Cloud	safe
http://www.tiro.comg	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn//	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
derarawfile10.ddns.net	85.202.169.154	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
derarawfile10.ddns.net	true	Avira URL Cloud: malware	unknown
212.192.246250	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.comcr_	Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com/	Revised invoice.exe, 00000000.00000003.353759018.0000000006212000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cnicrc	Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368137719.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367578995.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368054486.0000000006234000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367728953.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367876523.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comros	Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com#	Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comes	Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comx%	Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersH0	Revised invoice.exe, 00000000.00000003.394089096.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.monotype.f	Revised invoice.exe, 00000000.00000003.372065578.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.372345940.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.372196965.0000000006231000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn-	Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn;	Revised invoice.exe, 00000000.00000003.363022467.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Revised invoice.exe, 00000000.00000003.394089096.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	Revised invoice.exe, 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.com	Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm2	Revised invoice.exe, 00000000.00000003.387775919.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389674141.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387963973.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388779559.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389422039.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388306201.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388109557.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389227415.000000000622C000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388535003.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389804972.000000000622C000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387576262.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389543097.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388898410.000000000622C000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.389047637.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cnr-c	Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com-	Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cnno	Revised invoice.exe, 00000000.00000003.363022467.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comes22	Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krs-c	Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comces00	Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Revised invoice.exe, 00000000.00000003.387775919.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387963973.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388779559.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388306201.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388109557.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.388535003.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.387576262.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Revised invoice.exe, 00000000.00000003.356633716.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356841100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356915572.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deoi	Revised invoice.exe, 00000000.00000003.374215463.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373403063.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.374079868.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373947160.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373821747.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373545548.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373690092.0000000006230000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de.	Revised invoice.exe, 00000000.00000003.383925059.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384255026.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384447138.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384106288.0000000006237000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384524248.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kras	Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	Revised invoice.exe, 00000000.00000003.369688026.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370035509.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369763768.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369845471.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370258143.0000000006233000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krn-uy1	Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.361492036.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.361492036.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comac	Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	Revised invoice.exe, 00000000.00000003.373403063.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.383925059.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384255026.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384447138.0000000006238000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384106288.0000000006237000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373545548.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384668334.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373690092.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.384524248.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comF%	Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.como.	Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368137719.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367578995.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.368054486.0000000006234000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367728953.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367876523.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersp	Revised invoice.exe, 00000000.00000003.374079868.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.come	Revised invoice.exe, 00000000.00000003.353759018.0000000006212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersn	Revised invoice.exe, 00000000.00000003.383733657.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnh	Revised invoice.exe, 00000000.00000003.362696477.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.362926280.0000000006234000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html#	Revised invoice.exe, 00000000.00000003.370879570.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369688026.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370035509.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370392686.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370542926.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369763768.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370742797.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.369845471.0000000006233000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.370258143.0000000006233000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comic	Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr=	Revised invoice.exe, 00000000.00000003.361492036.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deoa&	Revised invoice.exe, 00000000.00000003.373403063.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.374079868.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373947160.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373821747.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373545548.0000000006231000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.373690092.0000000006230000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Revised invoice.exe, 00000000.00000002.406349724.0000000001A67000.00000004.00000020.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr8b1	Revised invoice.exe, 00000000.00000003.361679245.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.come	Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agfamonotype.	Revised invoice.exe, 00000000.00000003.394245963.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410670704.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.394510528.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.394372093.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.394089096.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlt	Revised invoice.exe, 00000000.00000003.380409949.000000000624E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.htmlefa	Revised invoice.exe, 00000000.00000003.377291056.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377794899.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.378110058.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377030811.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377497410.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377619595.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.379352983.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377931382.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377160989.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn(ii)	Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.comlic	Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comica	Revised invoice.exe, 00000000.00000002.406349724.0000000001A67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comi	Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comm	Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366072624.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366460308.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366332325.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.come-d	Revised invoice.exe, 00000000.00000003.366650482.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366788242.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.366932129.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	Revised invoice.exe, 00000000.00000003.363910398.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363989041.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363760748.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363384800.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363563968.0000000006230000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comint	Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365908787.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Revised invoice.exe, 00000000.00000003.364432152.0000000006234000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.362696477.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363910398.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363022467.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363989041.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363760748.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363384800.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.363563968.0000000006230000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364542463.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364298191.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.362926280.0000000006234000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Revised invoice.exe, 00000000.00000003.377056015.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377333224.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377181974.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.377517366.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comoaV2	Revised invoice.exe, 00000000.00000003.367239507.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367578995.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367106783.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.367422104.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.comX2	Revised invoice.exe, 00000000.00000003.356841100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356915572.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	Revised invoice.exe, 00000000.00000003.380642548.000000000624E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.380409949.000000000624E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cnZ	Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	Revised invoice.exe, 00000000.00000002.406349724.0000000001A67000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.	Revised invoice.exe, 00000000.00000003.365408608.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365576119.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365760169.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365101107.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364707365.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.364867736.000000000622E000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.365255484.000000000622E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Revised invoice.exe, 00000000.00000002.410926933.0000000007502000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fontfabrik.com#	Revised invoice.exe, 00000000.00000003.357972442.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357162871.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.356996176.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.358148540.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357338520.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357778044.000000000622B000.00000004.00000800.00020000.00000000.sdmp, Revised invoice.exe, 00000000.00000003.357505167.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comg	Revised invoice.exe, 00000000.00000003.364201705.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Revised invoice.exe, 00000000.00000003.373947160.000000000622B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn//	Revised invoice.exe, 00000000.00000003.363384800.0000000006230000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.202.169.154	derarawfile10.ddns.net	Netherlands		209401	GUDAEV-ASRU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	560096
Start date:	26.01.2022
Start time:	06:22:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Revised invoice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/8@15/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.1% (good quality ratio 0.9%) Quality average: 44.3% Quality standard deviation: 30.1%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
TCP Packets have been reduced to 100
Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Revised invoice.exe

Simulations

Behavior and APIs

Time	Type	Description
06:24:04	API Interceptor	745x Sleep call for process: Revised invoice.exe modified
06:24:18	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
06:24:30	API Interceptor	1x Sleep call for process: dhcpmon.exe modified

Process:	C:\Users\user\Desktop\Revised invoice.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	825344
Entropy (8bit):	7.520494128006195
Encrypted:	false
SSDEEP:	24576:2P/qWxHh73mHLVtSsb+MCMaw2JgKhxFMIpydM3:2V4b+M5r2Jd5p
MD5:	4BAB1B0E7BBB12D6280A75EB3475B45B
SHA1:	2C6DA100C498A0862CAFC338B7570AD3714C716E
SHA-256:	1A4032263B7F92E02D65CAC6F7E483C1897DAFB8B9C47937758FEC3DA22F154C
SHA-512:	A52646B46F8BA8985F099C018090789E0482186631CDF31014248CACC31709FB8E70ACB390BAF9F82895488D789EB92AFCAF1980BB38D76505DE215B5F2DDAEF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 23%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..a..............0.............v.... ........@.. ....................................@.................................$...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................X.......H.......<................... ............................................0..G........r...p.......,..r...ps....z...(....(...........r...p.o....(....s....z...........-.......0..o........s......s......~..........(.........o.........,..(.......o .........rW..p..o....(....(!..........,..o".........(.......-..........4B..........Za.......0..o........s#........o$....s%......+......J...r...p(&...o'...&...X....i......-..o(.......&.r...p(!..........,..o"................GO..........

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Revised invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Revised invoice.exe.log

Download File

Process:	C:\Users\user\Desktop\Revised invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\Revised invoice.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\Revised invoice.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:ph6:n6
MD5:	6C095DEF8EC05A7649A760E4872D3C3D
SHA1:	7F8A51E779662D2390F45376D3F293698E33973E
SHA-256:	70834C697DF69CA1B413876FC00EC4D002E32F0EFB68209496F81960BBA64B9B
SHA-512:	82A35B1F211AD3288B49EDDFA9A32EEEC2D31914C46F370F7F9AAAC3F9DB7A76B7B0EE5335862A5B5B6E1CCD1E1928F65F517B2F048C116866E6802839E7AF06
Malicious:	true
Preview:	..Y....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\Revised invoice.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\Revised invoice.exe
File Type:	data
Category:	dropped
Size (bytes):	312480
Entropy (8bit):	7.99946695108875
Encrypted:	true
SSDEEP:	6144:2WYGDIDE+GJclEi5KjQpbL17IzzKJxw2mEhmTvpyD0i:+kIQ+EcFKjObdIA3mEhuvpyDd
MD5:	34CC720BAB9A243A96B008251C4541CA
SHA1:	B275C34B63ECA934EE8DD536B18D753203FC171A
SHA-256:	A63EAF4AE6032C446FDBABB4753851121BB6C03A1CF11749962BF501FF70DEB2
SHA-512:	FC4310B2A4478D04F82A3A1B8C4370442222B8F95EE2AD005FA9F0A638A85EE7E53F00B69027F0338A5A5AC9E42E4C6A5E33716115855567367E2E71D13346E4
Malicious:	false
Preview:	.<.#..!.nt.........I..N#....sb.....Q..O.v.qS.......AK.0.....7].S..K.\|`k......~a..,8..y.C+.3.Z......;LZ.............y.QR..V..-.{".G.....g..]...R<]C`....Fak..{.....?.ViXd.....@k(Z.D...\..c...j.l5){HT....3.....Z...L.}).sH....m.H..._.)...w.@F.X,l......h.....K.S..... ..zi...{.:..y-.....Q.........E..~9......n`ts..Tt.@..x5..$.zv..1..n)...M..)...,`.... ....`....._.....8=y...Ry...r0J.9.....]$..,<.F;..B>..(....,\..{.....{...A..u.......Q.a..$..<..bP. xo.h...[.Y.ng...:.2..r.>......_..h.O:#c.Z.$..\.j......Sb..8.......X...y.(.......W(...v....1"@N!A.8...d.RV..FmyYj.2....g.R..gaA."d..A....B2!.5./...u...c.cw..".p&5.A...%.........B.?3C......z.tKv....=\|.c.....h..\2_....H.{[K..$...4.... .l..Q.=...e..2Y..]..:..>.....c]....q.+G..'.J.....~...$1..R..{..D...5.y$..^...!(..C.0.<(..N...\....FGEi....X.oX.@W....(..-..@.......D.{._p...\.6..zv...n$f:.....e...p..:&..8$ ./k....>Sd......L,P.*<.c....ZK8C.B../'......O........Vz._0$......OZ

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.520494128006195
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Revised invoice.exe
File size:	825344
MD5:	4bab1b0e7bbb12d6280a75eb3475b45b
SHA1:	2c6da100c498a0862cafc338b7570ad3714c716e
SHA256:	1a4032263b7f92e02d65cac6f7e483c1897dafb8b9c47937758fec3da22f154c
SHA512:	a52646b46f8ba8985f099c018090789e0482186631cdf31014248cacc31709fb8e70acb390baf9f82895488d789eb92afcaf1980bb38d76505de215b5f2ddaef
SSDEEP:	24576:2P/qWxHh73mHLVtSsb+MCMaw2JgKhxFMIpydM3:2V4b+M5r2Jd5p
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..a..............0.............v.... ........@.. ....................................@................................

File Icon


Icon Hash:	2c5231b95ab22408

Static PE Info

General

Entrypoint:	0x4ca076
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61F09658 [Wed Jan 26 00:31:20 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
mov byte ptr [eax-2C754571h], ch
mov ecx, CFB1EDF5h
jmp far 82EBh : FBB5E4AAh
stc
nop
retf B5C9h
out DCh, eax
mov seg?, word ptr [edi-1F081154h]
retf EA8Eh
retf CE80h
lds ebp, fword ptr [ebp-7B2F3B49h]
xchg eax, ebx
aad F0h
jmp 00007F9F64DF062Ah
mov ah, 9Dh
int3
scasd
movsd
xchg eax, ebp
mov edx, 9DD28799h
jecxz 00007F9F64DF05F3h
mov edx, 0000CA90h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xca024	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x11dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc80bc	0xc8200	False	0.701654971502	data	7.52802106198	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x11dc	0x1200	False	0.645616319444	data	6.54059849362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xcc100	0xb3a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xccc4c	0x14	data
RT_VERSION	0xccc70	0x36c	data
RT_MANIFEST	0xccfec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2012
Assembly Version	1.5.0.0
InternalName	IIterat.exe
FileVersion	22.0.3.0
CompanyName
LegalTrademarks
Comments
ProductName	iiInfinityEngine Application
ProductVersion	22.0.3.0
FileDescription	iiInfinityEngine Application
OriginalFilename	IIterat.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/26/22-06:24:42.071716	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56023	8.8.8.8	192.168.2.6
01/26/22-06:24:48.449046	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60261	8.8.8.8	192.168.2.6
01/26/22-06:25:13.132016	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63745	8.8.8.8	192.168.2.6
01/26/22-06:25:19.830871	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50010	8.8.8.8	192.168.2.6
01/26/22-06:25:41.314592	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57574	8.8.8.8	192.168.2.6
01/26/22-06:26:18.057865	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60778	8.8.8.8	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2022 06:24:18.485788107 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:18.512763977 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:18.513204098 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:18.756021976 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:18.864753962 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:18.864942074 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:18.972136974 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:18.972227097 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:18.999602079 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.061052084 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.532491922 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.673132896 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.687484980 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.695467949 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.695513010 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.695539951 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.695554972 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.695573092 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.695601940 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.695612907 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.695621014 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.722363949 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722410917 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722448111 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722481966 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722481966 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.722515106 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722533941 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.722557068 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722589970 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722600937 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.722625017 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.722666979 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.749418974 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749470949 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749538898 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.749547958 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749583006 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749614954 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749623060 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.749648094 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749675989 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749689102 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.749705076 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749739885 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749769926 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749779940 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.749799967 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749826908 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.749840975 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749893904 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749910116 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.749921083 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749946117 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749969006 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.749972105 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.750005960 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.776938915 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.776990891 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777019978 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777048111 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777049065 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777076960 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777089119 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777106047 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777138948 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777153015 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777168989 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777194977 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777211905 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777221918 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777249098 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777264118 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777276039 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777302027 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777321100 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777328968 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777359009 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777371883 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777386904 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777414083 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777426004 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777441025 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777467966 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777479887 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777493954 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777519941 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777534008 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777546883 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777573109 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777596951 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777605057 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777633905 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777648926 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777658939 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777681112 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777698994 CET	49760	1187	192.168.2.6	85.202.169.154
Jan 26, 2022 06:24:19.777714014 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777740955 CET	1187	49760	85.202.169.154	192.168.2.6
Jan 26, 2022 06:24:19.777754068 CET	49760	1187	192.168.2.6	85.202.169.154

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2022 06:24:17.996527910 CET	62044	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:24:18.015832901 CET	53	62044	8.8.8.8	192.168.2.6
Jan 26, 2022 06:24:25.421608925 CET	63791	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:24:25.440938950 CET	53	63791	8.8.8.8	192.168.2.6
Jan 26, 2022 06:24:32.777508020 CET	61346	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:24:32.796672106 CET	53	61346	8.8.8.8	192.168.2.6
Jan 26, 2022 06:24:42.050080061 CET	56023	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:24:42.071716070 CET	53	56023	8.8.8.8	192.168.2.6
Jan 26, 2022 06:24:48.430347919 CET	60261	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:24:48.449045897 CET	53	60261	8.8.8.8	192.168.2.6
Jan 26, 2022 06:24:55.326966047 CET	58336	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:24:55.346101999 CET	53	58336	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:02.217654943 CET	53781	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:02.235038042 CET	53	53781	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:08.164484978 CET	55299	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:08.183748960 CET	53	55299	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:13.111092091 CET	63745	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:13.132015944 CET	53	63745	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:19.809762001 CET	50010	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:19.830871105 CET	53	50010	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:26.769131899 CET	63816	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:26.788825035 CET	53	63816	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:34.897589922 CET	62208	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:34.917278051 CET	53	62208	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:41.295402050 CET	57574	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:41.314591885 CET	53	57574	8.8.8.8	192.168.2.6
Jan 26, 2022 06:25:46.075155973 CET	51818	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:25:46.094746113 CET	53	51818	8.8.8.8	192.168.2.6
Jan 26, 2022 06:26:18.036572933 CET	60778	53	192.168.2.6	8.8.8.8
Jan 26, 2022 06:26:18.057864904 CET	53	60778	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2022 06:24:17.996527910 CET	192.168.2.6	8.8.8.8	0x8e9c	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:25.421608925 CET	192.168.2.6	8.8.8.8	0xd6ac	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:32.777508020 CET	192.168.2.6	8.8.8.8	0xf5af	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:42.050080061 CET	192.168.2.6	8.8.8.8	0x1877	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:48.430347919 CET	192.168.2.6	8.8.8.8	0x92b4	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:55.326966047 CET	192.168.2.6	8.8.8.8	0x119c	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:02.217654943 CET	192.168.2.6	8.8.8.8	0xd9a6	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:08.164484978 CET	192.168.2.6	8.8.8.8	0xbbf0	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:13.111092091 CET	192.168.2.6	8.8.8.8	0x42ac	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:19.809762001 CET	192.168.2.6	8.8.8.8	0x890c	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:26.769131899 CET	192.168.2.6	8.8.8.8	0xdb32	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:34.897589922 CET	192.168.2.6	8.8.8.8	0x7daa	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:41.295402050 CET	192.168.2.6	8.8.8.8	0xc438	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:46.075155973 CET	192.168.2.6	8.8.8.8	0xa1b5	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)
Jan 26, 2022 06:26:18.036572933 CET	192.168.2.6	8.8.8.8	0xd979	Standard query (0)	derarawfile10.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 26, 2022 06:24:18.015832901 CET	8.8.8.8	192.168.2.6	0x8e9c	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:25.440938950 CET	8.8.8.8	192.168.2.6	0xd6ac	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:32.796672106 CET	8.8.8.8	192.168.2.6	0xf5af	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:42.071716070 CET	8.8.8.8	192.168.2.6	0x1877	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:48.449045897 CET	8.8.8.8	192.168.2.6	0x92b4	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:24:55.346101999 CET	8.8.8.8	192.168.2.6	0x119c	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:02.235038042 CET	8.8.8.8	192.168.2.6	0xd9a6	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:08.183748960 CET	8.8.8.8	192.168.2.6	0xbbf0	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:13.132015944 CET	8.8.8.8	192.168.2.6	0x42ac	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:19.830871105 CET	8.8.8.8	192.168.2.6	0x890c	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:26.788825035 CET	8.8.8.8	192.168.2.6	0xdb32	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:34.917278051 CET	8.8.8.8	192.168.2.6	0x7daa	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:41.314591885 CET	8.8.8.8	192.168.2.6	0xc438	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:25:46.094746113 CET	8.8.8.8	192.168.2.6	0xa1b5	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)
Jan 26, 2022 06:26:18.057864904 CET	8.8.8.8	192.168.2.6	0xd979	No error (0)	derarawfile10.ddns.net	85.202.169.154	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	06:23:41
Start date:	26/01/2022
Path:	C:\Users\user\Desktop\Revised invoice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Revised invoice.exe"
Imagebase:	0xf80000
File size:	825344 bytes
MD5 hash:	4BAB1B0E7BBB12D6280A75EB3475B45B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.408160026.0000000004319000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.406375161.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.406688531.00000000033CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Revised invoice.exePID: 6692, Parent PID: 6272

General

Target ID:	4
Start time:	06:24:06
Start date:	26/01/2022
Path:	C:\Users\user\Desktop\Revised invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Revised invoice.exe
Imagebase:	0x490000
File size:	825344 bytes
MD5 hash:	4BAB1B0E7BBB12D6280A75EB3475B45B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.617046851.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000004.00000002.619048568.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000000.402923457.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000000.402001244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000000.402541996.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000000.403354659.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.618965452.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: dhcpmon.exePID: 2904, Parent PID: 3440

General

Target ID:	11
Start time:	06:24:26
Start date:	26/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0xcf0000
File size:	825344 bytes
MD5 hash:	4BAB1B0E7BBB12D6280A75EB3475B45B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.470438107.000000000319C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.469694616.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.471522970.00000000040E9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 23%, ReversingLabs
Reputation:	low

Analysis Process: dhcpmon.exePID: 5644, Parent PID: 2904

General

Target ID:	12
Start time:	06:24:33
Start date:	26/01/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xce0000
File size:	825344 bytes
MD5 hash:	4BAB1B0E7BBB12D6280A75EB3475B45B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.463093309.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.495569005.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.464915224.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.492933919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.463837365.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.465799773.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.494722519.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Revised invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection

E-Banking Fraud

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Jbx Signature Overview

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Revised invoice.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Static File Info

General

Windows Analysis Report
Revised invoice.exe